Bug report: Security hole!
8 posts
• Page 1 of 1
Bug report: Security hole!
Oops... the *Cli's have found a rather embarrassing security hole.
-
roncli
- Posts: 1106
- Joined: Sun Mar 22, 2015 5:05 pm
- Location: Belmont, CA
Only embarrassing for he which exploits said security hole
-
Mark392
- Posts: 728
- Joined: Mon Sep 09, 2013 2:41 pm
Yeah, put it back the way you found it.
Drak, apparently we need to protect ourselves from....ourselves.
Drak, apparently we need to protect ourselves from....ourselves.
-
Jediluke
- Posts: 1879
- Joined: Fri Aug 30, 2013 10:00 pm
Um . . . that *is* a big security hole.
I have patched it.
I also searched the database for evidence that it had been exploited in more serious ways in the past -- I didn't find any evidence that it had been, and the ability to delete comments (and thus erase that evidence) is a recent addition. It's likely that Roncli was the first to find this.
The most serious likely consequences I can think of for the attack are that someone could use it to steal the DCL session credentials of anyone who viewed the page, and access their account until they logged out and back in. Theoretically, anyone with Roncli's skills could have done that and then deleted the comment revealing the attack. I don't think anyone here had the capability and the intent, but I have expired all sessions just to be on the safe side. You'll need to log in again.
Theoretically, it could be a lot worse than that. Together with a vulnerability in another site, this class of attack can allow cross-site monkey business (i.e., accessing your bank), or together with a vulnerability in a browser, it can be used to load malware. I'm pretty sure no such attack was made, but this sort of thing is kind of a big deal.
Yeah . . . my bad. Thought I'd been rigorous about avoiding that vulnerability. Apparently not.
I do feel the need to point out that posting publicly about it gives everyone seven hours to make a serious attack before I see the message and remove that opportunity. Strictly speaking, proper procedure is to report this sort of thing privately.
But we're all friends here, and you *do* need to be registered on the ladder to *make* the attack . . . so I doubt it was a problem. And I appreciate the prompt report. And I deserve some egg on my face for this one, anyway. In security terms, this is a definite pwn.
Thank you! Glad it was you that found it!
I have patched it.
I also searched the database for evidence that it had been exploited in more serious ways in the past -- I didn't find any evidence that it had been, and the ability to delete comments (and thus erase that evidence) is a recent addition. It's likely that Roncli was the first to find this.
The most serious likely consequences I can think of for the attack are that someone could use it to steal the DCL session credentials of anyone who viewed the page, and access their account until they logged out and back in. Theoretically, anyone with Roncli's skills could have done that and then deleted the comment revealing the attack. I don't think anyone here had the capability and the intent, but I have expired all sessions just to be on the safe side. You'll need to log in again.
Theoretically, it could be a lot worse than that. Together with a vulnerability in another site, this class of attack can allow cross-site monkey business (i.e., accessing your bank), or together with a vulnerability in a browser, it can be used to load malware. I'm pretty sure no such attack was made, but this sort of thing is kind of a big deal.
Yeah . . . my bad. Thought I'd been rigorous about avoiding that vulnerability. Apparently not.
I do feel the need to point out that posting publicly about it gives everyone seven hours to make a serious attack before I see the message and remove that opportunity. Strictly speaking, proper procedure is to report this sort of thing privately.
But we're all friends here, and you *do* need to be registered on the ladder to *make* the attack . . . so I doubt it was a problem. And I appreciate the prompt report. And I deserve some egg on my face for this one, anyway. In security terms, this is a definite pwn.
Thank you! Glad it was you that found it!
-
Drakona
- Site Admin
- Posts: 1494
- Joined: Fri Aug 30, 2013 5:35 pm
hahahaha
Yeah, this is a pretty common class of "injection" vulnerability, but given this is a no-budget website with limited stakes, it's not an inexcusable oversight. As long as it gets fixed, anyway.
Yeah, this is a pretty common class of "injection" vulnerability, but given this is a no-budget website with limited stakes, it's not an inexcusable oversight. As long as it gets fixed, anyway.
-
Sirius
- Posts: 489
- Joined: Wed Dec 31, 2014 2:09 am
- Location: Bellevue, WA
That's true, I should've just sent it to you privately. My bad for that!
Note that the vulnerability I posted was client-side in nature. Nothing was changed in the database, nor could have anyone else with this vulnerability. The code I posted simply overwrite the score field with a string. Script tags can do way more harm than just that, but typically only to people browsing the page.
It was definitely something to patch because, while you do need to login to post comments, obtaining an account is easy enough. I've seen real small sites such as this get attacked before, so I am glad it was found and patched quickly!
My wife was all like, "I hope you don't end up getting banned!" >_> I think next time I'll be a little more discrete with my reports. Although things look to be patched up pretty good now.
Note that the vulnerability I posted was client-side in nature. Nothing was changed in the database, nor could have anyone else with this vulnerability. The code I posted simply overwrite the score field with a string. Script tags can do way more harm than just that, but typically only to people browsing the page.
It was definitely something to patch because, while you do need to login to post comments, obtaining an account is easy enough. I've seen real small sites such as this get attacked before, so I am glad it was found and patched quickly!
My wife was all like, "I hope you don't end up getting banned!" >_> I think next time I'll be a little more discrete with my reports. Although things look to be patched up pretty good now.
-
roncli
- Posts: 1106
- Joined: Sun Mar 22, 2015 5:05 pm
- Location: Belmont, CA
Oh, also, there's nothing to put back... When this got fixed, the script no longer ran, so the score remains unchanged from the database.
-
roncli
- Posts: 1106
- Joined: Sun Mar 22, 2015 5:05 pm
- Location: Belmont, CA
8 posts
• Page 1 of 1