Akust0m Posted June 17, 2007 Share Posted June 17, 2007 I've heard of people talking about an exploit in the MC Codes mailbox.php? Does anyone know about this? If you have any information upon this, please PM me and explain it to me or maybe post a fix. Quote Link to comment Share on other sites More sharing options...
krownx Posted June 21, 2007 Share Posted June 21, 2007 Re: MC Code Mailbox Exploit? I know of the mailbox bug for v1. Deadlytown went down because someone used XSS the game through the mailbox system. I dont know about the patches and such that have come out since I got my version but if its the same as before, its an easy fix Quote Link to comment Share on other sites More sharing options...
stryker Posted June 22, 2007 Share Posted June 22, 2007 Re: MC Code Mailbox Exploit? you can block such exploits in your htaccess file Quote Link to comment Share on other sites More sharing options...
hamster01 Posted June 22, 2007 Share Posted June 22, 2007 Re: MC Code Mailbox Exploit? You do know what XSS is right? I could give you an example, if you'd like. I don't really think it is an XSS exploit. Maybe SQL Injection. Do the common things to block it, addslashes, etc. you can block such exploits in your htaccess file Quote Link to comment Share on other sites More sharing options...
Akust0m Posted June 22, 2007 Author Share Posted June 22, 2007 Re: MC Code Mailbox Exploit? Do you guys think you could be a bit more specific. Maybe give a direct fix rather than using such terminology a beginning coder would find difficult to grasp. Quote Link to comment Share on other sites More sharing options...
hamster01 Posted June 22, 2007 Share Posted June 22, 2007 Re: MC Code Mailbox Exploit? Well, Google it. You should get some results. Quote Link to comment Share on other sites More sharing options...
krownx Posted June 23, 2007 Share Posted June 23, 2007 Re: MC Code Mailbox Exploit? the exploit I fixed only took a couple of quick and easy lines of code... and I haven't had anymore problems from that end. Quote Link to comment Share on other sites More sharing options...
$$ ?????? $$ Posted July 2, 2007 Share Posted July 2, 2007 Re: MC Code Mailbox Exploit? yh thats true, its quit easy to fix really. Quote Link to comment Share on other sites More sharing options...
awakenedlands.com Posted July 18, 2007 Share Posted July 18, 2007 Re: MC Code Mailbox Exploit? Normally when there is an exploit, it's polite to post the fix so those who have no idea what the vulnerability is can see what the issue is. Quote Link to comment Share on other sites More sharing options...
Aqua Posted July 18, 2007 Share Posted July 18, 2007 Re: MC Code Mailbox Exploit? What is it? Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below. What are the threats?Well Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them. Everything from account hijacking, changing of user .settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. To Protect yourself as a owner, never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your game if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to # (#) and & (&). By not fixing an XSS hole this could allow possible user account compromise in portions of your site as they get added or updated. Cross Site Scripting has been found in various large sites recently and have been widely publicized. Left unrepaired, someone may discover it and publish a warning about your game or site. This may damage your company's reputation, depicting it as being lax on security matters. This of course also sends the message to your clients that you aren't dealing with every problem that arises, which turns into a trust issue. If your client doesn't trust you why would they wish to buy dp's and carry on playing. NOTE:Many large sites got these holes in it, so may take some time to fix it, also this is a good thing you will learn from it. Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs, even phpnuke... I wish you luck fixing this problem but most importanly you have to understand how it is executed. So Execution, the more well-known computer viruses are designed to punch through security firewalls — software that monitors network and Internet traffic and restricts access to data. Cross-site scripting works by embedding malicious code on Web pages with tiny "scripting" programs that make sites more interactive. An unsuspecting Web site visitor then activates the hacker's program by using the corrupted scripting program. Hand out your crafted url or use email or other related software to help launch it. Make sure that if you provide the URL to the user(through email, aim, or other means) that you at least HEX encode it. The code is obviously suspicious looking but a bunch of hex characters may fool a few people. In my example I only forward the user to cookie.cgi. A attacker with more time could do a few redirects and XSS combo's to steal the user's cookie, and return them to the website without noticing the cookie theft. Some email programs may execute the Javascript upon the opening of a message or if the Javascript is contained in a message attachment. Larger sites like Hotmail do allow Javascript inside attachments but they do special filtering to prevent cookie theft. ~Legend-Killer Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.