PDA

View Full Version : Public access to html code



YuukiRus
04-28-2014, 05:49 AM
Not a bug as much as really exploitable.
Everyone is capable of using html code to color their text. enlarge it. Bold it.
It's becoming extremely annoying as I type this as everyone is now spamming colour codes.

Dropbear
04-28-2014, 05:54 AM
Confirmed, I can spam colors using HTML, probably can bold too. Could be used to intimiate GM's, but won't have red name.

The usage is <color=555555>Test</color>, <b>Test</b>, etc. Should these be filtered?

ossuary
04-28-2014, 06:15 AM
You can do a lot worse than that with injection. I'm frankly amazed they released a client with html and other script-type interactions not filtered.

So how about those whitehat meetings and guidelines Will promised us way back in September? Better late than never? :)

mach
04-28-2014, 06:26 AM
You can do a lot worse than that with injection. I'm frankly amazed they released a client with html and other script-type interactions not filtered.

So how about those whitehat meetings and guidelines Will promised us way back in September? Better late than never? :)

Yup. This is pretty astounding. The servers need to go down immediately and stay down until they fix this or at least make sure the really bad stuff isn't possible.

ossuary
04-28-2014, 06:35 AM
You can get a line break, and you can access onclick events... I'd say it's pretty frickin' bad. :p

dwebber88
04-28-2014, 07:49 AM
Yea i didn't wanna post this on the forums, so people would not try and exploit it. But now it is, it has to be fixed asap!

Has been like this since alpha.

mach
04-28-2014, 02:54 PM
Yea i didn't wanna post this on the forums, so people would not try and exploit it. But now it is, it has to be fixed asap!

Has been like this since alpha.

Did you report it to them then? If you did, and they just ignored it...

It's possible that there's something preventing the really bad stuff and that this isn't that big of a deal...but it's also possible that people's accounts are compromised already. To be safe, people should change their passwords and not log into the client until this is fixed.

This is a good test of their systems for responding to security issues.

DionyzRex
04-28-2014, 03:09 PM
Just FYI, there is no cause for concern here.


Players were able to use the encoding to break formatting and, in the worst cases, stop chat from streaming entirely.


However, this was limited to the chat server. There is no possible way we are aware of that anyone could have used this bug to access server information.

The bug is already fixed internally and will be patched to Beta soon.

ossuary
04-28-2014, 03:18 PM
Hey Rex, just FYI, while the source may have been the chat server, and your internal machines are segregated so that messing with that one can't let anyone get to the other servers, the users' local machines would still be accessible. There's some pretty nasty stuff you can do with injection and scripts, if you know what you're doing (I will for obvious reasons not post any of it here).

I verified in client that you can get access to onclick events, and also some script commands, which ARE exploitable. So I'm glad to hear you'll be patching that out very soon! Now... how about those whitehat meetings? :)

mach
04-28-2014, 03:24 PM
Hey Rex, just FYI, while the source may have been the chat server, and your internal machines are segregated so that messing with that one can't let anyone get to the other servers, the users' local machines would still be accessible. There's some pretty nasty stuff you can do with injection and scripts, if you know what you're doing (I will for obvious reasons not post any of it here).


Yup. Plus there's also potential for social-engineering type attacks - people impersonating GMs and possibly client prompts. I also won't go into any more details but will just say that you should be suspicious of unexpected requests for your password or other information.

dwebber88
04-29-2014, 10:22 AM
Yup. Plus there's also potential for social-engineering type attacks - people impersonating GMs and possibly client prompts. I also won't go into any more details but will just say that you should be suspicious of unexpected requests for your password or other information.

Not sure if it is related to this, but i've seen people in chat getting strange emails already.