Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security issue: Possible exploit from use of line break in channel message

See original GitHub issue

Brief summary of issue / Description of requested feature:

A user privately forwarded this possible exploit example. It is due to the channel message accepting line breaks in the web client.

Steps to reproduce the issue / Reasons for adding feature:

In the web client:

public Hello!\n[Public] Griatch: Evennia is being re-written using Java.

The output will be

[Public] pruman: Hello!
[Public] Griatch: Evennia is being re-written using Java.

… which can be confusing,

Error output / Expected result of feature

We’d need to discuss how to handle this one. Using line breaks is a useful feature for a more advanced formatting of messages, but this kind of look-alike messaging could indeed be exploited, especially since colors are also possible to use in a channel message.

Extra information, such as Evennia revision/repo/branch, operating system and ideas for how to solve / implement:

The HTML converter will map line break to <br>, which causes this effect:

 return text.replace(r'\n', r'<br>')

This ties to other issues with how we handle the web client parsing - such as when we should pass through raw html or not.

<bountysource-plugin>

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource. </bountysource-plugin>

Issue Analytics

State:
Created 5 years ago
Comments:8 (8 by maintainers)

Top GitHub Comments

1reaction

Griatchcommented, Oct 9, 2021

In develop branch I have now implemented a variation that resolves this for the given example. I didn’t want to limit input in the general sense for all commands but instead I introduced a utility function that does the stripping of input while also offering a setting for ignoring inputs from privileged users. This way, that helper can be applied on commands where an exploit is needed, but not get rid of e.g. |/ inputs globally (this can be useful and safe for certain commands after all)

So this solution is a sort of mix between @trhr’s solution and a per-command sanitization helper.

You can test it by trying the example in the original issue (using |/ instead of \n) as Builder or -not.

0reactions

trhrcommented, Apr 6, 2020

This is related to issue where MXP is able to distribute arbitrarily executable code in clickable links.

Top Results From Across the Web

Known Exploited Vulnerabilities Catalog | CISA

A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected...

10 Common Web Security Vulnerabilities - Toptal

Don't suffer through a security breach—take action before any problems arise. Master these 10 common web security vulnerabilities now.

CRLF Injection | Learn AppSec - Invicti

CRLF injection is a vulnerability that lets a malicious hacker inject carriage return (CR) and linefeed (LF) characters to change the way a...

KRACK Attacks: Breaking WPA2

This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi....

FragAttacks: Security flaws in all Wi-Fi devices

An adversary can exploit this by sending an aggregated frame whose starts resembles a handshake message and whose second subframe contains the ...