XSS Security Vulnerability #27
Comments
|
Just for the record, and not to detract from the significance of this vulnerability: this is a reflected JS vulnerability in that the malicious game data are uploaded to the server and then re-sent to the browser. |
|
Are you sure that "reflected" is the correct terminology? It seems that "reflected" applies specifically to "non-persistent" attacks that originate from malicious payload that is somehow placed in the victim's request. I believe this security vulnerability should be categorized as "persistent" or "stored", since an attacker can upload a malicious SGF file to eidogo.com which will then threaten any victim that later visits the particular page for that file. On various forums using eidogo as an embedded SGF viewer, an attacker can upload a malicious SGF file that will then threaten any victim that later visits that particular forum post. http://excess-xss.com/#xss-attacks |
|
Sorry; you are correct. It is reflected in that it goes to the server and back again, but the fact that it is stored and can be retrieved by anyone, later, makes it stored. |
|
@Developers: ping? Is this project still alive? Are you searching for new maintainers? |
|
Unfortunately, this project appears to be abandoned. The last I heard from the developer was via an email on May 5, 2015, which simply stated
in response to my offer to help resolve the bug. The only other communication I have had from the developer was an earlier email on April 13, 2015 in response to my initial disclosure:
The code is quite stale and neglected. Note that:
|
|
Am I mistaken or was CVE-2015-3172 not published yet, even though its content is pretty much here (and in public)? It would make sense to keep the information consistent there. And thank you for your discovery and disclosure! |
|
@nerai good point. I forgot to follow up on that, but I just now sent an email to the CVE ID assignment body with a link to this public disclosure. |
and others
EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input.
There are actually two separate XSS vulnerabilities:
Here are examples exploiting each vulnerability:
http://eidogo.com/#xqRLkZhw
http://eidogo.com/#AKilSuG4
A patch attempting to mitigate these security vulnerabilities was submitted in this pull request:
#26
See this pull request for more discussion of the changes.
Note that the pull request does not include an updated minified file. However, a minified file incorporating this patch has been prepared by the OGS developers and is available here:
http://cdn.online-go.com/eidogo.min.js
Compare with:
https://raw.githubusercontent.com/jkk/eidogo/master/player/js/all.compressed.js
The identifier "CVE-2015-3172" has been assigned to refer to this issue.
Disclosure timeline:
April 7, 2015: Privately notified developer of security vulnerability
April 13: Developer acknowledged notification
May 12: Pull request submitted (as requested by developer)
May 14: Webmasters of several affected sites notified in advance
June 14: Public disclosure (having not heard back from developer since before the pull request)
The text was updated successfully, but these errors were encountered: