Flashgames.it is the best italian free online games website, there are thousands of games and something like a million of users registerd. Everyday 180.000 people are visiting the site ignoring that it could be used as attack vector to gain their credentials.
The bug it’s located in the avatar setting and it could be a LFI bug but the owner put some filters in order to avoid such threat, nonetheless the function still vulnerable to stored xss attack because the image path it’s saved in the database. This allow a malicious user to manipolate the function and bypassing the filter due to inject his payload. In this way every user that looks at the attacker’s profile will be in danger.
If we check the source we can see the following code
<a href="setta_avatar.php?imposta=02_5_11.gif"> <img style="margin: 5px;" alt="Setta questo avatar per il tuo profilo" src="../multiplayer/avatar/02_5_11.gif" border="0px"></a>
http://www.flashgames.it/account/setta_avatar.php?imposta=“<a onmouseover=alert(/XSS/) !
If you navigate to the site and after the login sequence you return to the homepage it should be appear like this:
As you can see in the red rectangle the high-scores contains the player’s avatars so we can presume that if our imaginary attacker could scale the highscore and to positioning himself between the first 10 players he could obtain all the users data.