Jump to content
MakeWebGames

MC Code Mailbox Exploit?


Akust0m

Recommended Posts

Re: MC Code Mailbox Exploit?

I know of the mailbox bug for v1. Deadlytown went down because someone used XSS the game through the mailbox system. I dont know about the patches and such that have come out since I got my version but if its the same as before, its an easy fix

Link to comment
Share on other sites

Re: MC Code Mailbox Exploit?

You do know what XSS is right?

I could give you an example, if you'd like.

I don't really think it is an XSS exploit.

Maybe SQL Injection.

Do the common things to block it, addslashes, etc.

 

you can block such exploits in your htaccess file

Link to comment
Share on other sites

  • 2 weeks later...
  • 3 weeks later...

Re: MC Code Mailbox Exploit?

What is it? Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.

What are the threats?Well Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them. Everything from account hijacking, changing of user .settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks.

To Protect yourself as a owner, never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your game if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to # (#) and & (&).

By not fixing an XSS hole this could allow possible user account compromise in portions of your site as they get added or updated. Cross Site Scripting has been found in various large sites recently and have been widely publicized. Left unrepaired, someone may discover it and publish a warning about your game or site. This may damage your company's reputation, depicting it as being lax on security matters. This of course also sends the message to your clients that you aren't dealing with every problem that arises, which turns into a trust issue. If your client doesn't trust you why would they wish to buy dp's and carry on playing.

 

NOTE:Many large sites got these holes in it, so may take some time to fix it, also this is a good thing you will learn from it. Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs, even phpnuke...

I wish you luck fixing this problem but most importanly you have to understand how it is executed.

So Execution, the more well-known computer viruses are designed to punch through security firewalls — software that monitors network and Internet traffic and restricts access to data. Cross-site scripting works by embedding malicious code on Web pages with tiny "scripting" programs that make sites more interactive. An unsuspecting Web site visitor then activates the hacker's program by using the corrupted scripting program. Hand out your crafted url or use email or other related software to help launch it. Make sure that if you provide the URL to the user(through email, aim, or other means) that you at least HEX encode it. The code is obviously suspicious looking but a bunch of hex characters may fool a few people. In my example I only forward the user to cookie.cgi. A attacker with more time could do a few redirects and XSS combo's to steal the user's cookie, and return them to the website without noticing the cookie theft.

Some email programs may execute the Javascript upon the opening of a message or if the Javascript is contained in a message attachment. Larger sites like Hotmail do allow Javascript inside attachments but they do special filtering to prevent cookie theft.

~Legend-Killer

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...