Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Security issue: XSS in web client
See original GitHub issueBrief summary of issue / Description of requested feature:
I received another communication from a user concerning a possible webclient exploit:
OK, potentially more seriously I just managed to XSS the web client. This one’s in the MXP url substitution and is an interactive XSS, so of a lower risk than anything non-interactive:
tell me=|lcsay My cookies are: \"+document.cookie])//|ltClick Here for Prizes!|leThis could be sent to any other player, and clicking the link will execute arbitrary JavaScript.
XSS could then be used to hijack the admin session via the admin interface, etc.
Steps to reproduce the issue / Reasons for adding feature:
See above.
Error output / Expected result of feature
The MXP parser component of the HTML should be expanded to filter out things like this.
Extra information, such as Evennia revision/repo/branch, operating system and ideas for how to solve / implement:
<bountysource-plugin>Want to back this issue? Post a bounty on it! We accept bounties via Bountysource. </bountysource-plugin>
Issue Analytics
- State:
- Created 5 years ago
- Comments:10 (9 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thinking about this more, I think the way I’ll resolve this and get the best of both worlds is to default to only outgoing MXP being allowed - that is, you can create MXP in code (such as clickable links in menus) but anyone cannot add MXP from the game. It could be a default setting. People wanting the full MXP experience then need to activate this explicitly and will have to accept the risks.
Since the Server and the Webclient are both under the control of the same administrators, we can’t guard against malicious game servers (bad actors can always modify their game code to do evil). The case we really need to guard against is “random evil player” sending malicious payloads to other innocent players. This is essentially an extension of the reasoning/design behind inlinefuncs(). We need a way to force separate the code being executed on the webclient from whatever input the player actually sent. Currently, the MXP code creates <a id=‘mxplink’ href=“#” onClick=“do stuff evil stuff here”> We need to change that to onClick=“only do approved client-side func() here with possibly evil data”
As an aside, that id=“mxplink” should probably be turned into a class=“” instead, just to avoid weirdness id-uniqueness.