Because I was at work.
Also, today, Bonobo flagged this thread, so it's the first time I paid much attention to it.
I will take a look tonight.
Playing hide and seek with the kids at the moment, and they haven't found me, yet
| Life In 19x19 http://www.lifein19x19.com/ |
|
| EidoGo Security Vulnerability Alert http://www.lifein19x19.com/viewtopic.php?f=9&t=11940 |
Page 2 of 3 |
| Author: | hyperpape [ Tue Apr 05, 2016 4:10 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Does anyone have a way of communicating with sybob? I hope someone can inform him that his leaving the forum was a bit...premature. While saying that this <i>absolutely</i> should be patched, and the patch needs to be made upstream as well, let me try and put the problem in perspective (I am a developer, but not a security guy, so if anyone can improve on what I say, go ahead...) It's true that there are ways out of the browser's sandbox that can triggered using JavaScript, there may also be ways out using simple <i>images</i>. So forget L19, don't browse any website that let users upload images. But in any case, browser sandboxes are getting quite good, to the extent that exploits using them are sold on the black market for lots of money. And these exploits are being patched quite quickly these days, if you're not stuck on an ancient version of IE. There are almost certainly such vulnerabilities being exploited today, but it's not the days when any old idiot could find vulnerabilities posted on the web. Second, JavaScript injection is not a rare vulnerability. I think things are getting better, but there are surely other sites you visit that are vulnerable. If you're worried by the Eidogo injection enough to not visit this website, you should turn off JavaScript entirely for your browser, or use an extension like NoScript that lets you selectively whitescript sites (I believe the good Robert Jasiek does the former). Advertising networks, for instance, are essentially mass-market JavaScript injectors, and they are routinely compromised and used to deliver exploits. |
|
| Author: | Kirby [ Tue Apr 05, 2016 5:06 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Why don't we just apply the patch on L19? It looks like they made a fix, right? Does somebody want me to do this? |
|
| Author: | DrStraw [ Tue Apr 05, 2016 5:17 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Kirby wrote: Why don't we just apply the patch on L19? It looks like they made a fix, right? Does somebody want me to do this? That seems like a silly question. If you can do it why has it not been done already? |
|
| Author: | Kirby [ Tue Apr 05, 2016 6:31 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Because I was at work. Also, today, Bonobo flagged this thread, so it's the first time I paid much attention to it. I will take a look tonight. Playing hide and seek with the kids at the moment, and they haven't found me, yet
|
|
| Author: | Kirby [ Tue Apr 05, 2016 6:32 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Also, kind of hoping for a discussion since it seems there are multiple solutions here (apply their fix, use a different app as Bonobo suggested, etc.). |
|
| Author: | DrStraw [ Tue Apr 05, 2016 6:33 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done. |
|
| Author: | hyperpape [ Tue Apr 05, 2016 7:00 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
I'd say patch eidogo, if the patch looks sane. |
|
| Author: | Kirby [ Tue Apr 05, 2016 7:49 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
DrStraw wrote: Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done. I dunno. I vaguely seem to recall this being discussed, but I was probably busy at the time. These days, it'll take me a couple of hours to even write a post that's a couple of sentences long (write a little bit - go back to doing something back at work - go to a meeting - come back to the post, etc.). I wasn't intentionally ignoring it, but when Bonobo flagged the post, I read it more carefully. Anyway, I'll go ahead and update it now. I'll post again when it's done. |
|
| Author: | DrStraw [ Tue Apr 05, 2016 8:00 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Kirby wrote: DrStraw wrote: Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done. I dunno. I vaguely seem to recall this being discussed, but I was probably busy at the time. These days, it'll take me a couple of hours to even write a post that's a couple of sentences long (write a little bit - go back to doing something back at work - go to a meeting - come back to the post, etc.). I wasn't intentionally ignoring it, but when Bonobo flagged the post, I read it more carefully. Anyway, I'll go ahead and update it now. I'll post again when it's done. Are you the only one able to do it? If so, it seems that we are short on manpower. |
|
| Author: | Kirby [ Tue Apr 05, 2016 8:10 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
DrStraw wrote: Are you the only one able to do it? Other people can do it, too. Looking back at this thread, though, probably some of the other admins thought that there was no problem - Uberdude posted an example where it appeared to be fixed. But thanks to YeGO, he showed us that the problem really wasn't fixed. He showed us that today. And I believe that I fixed it now. I'm double checking some other posts that use EidoGo. If it's really not fixed, let me know, and I'll respond to it promptly. --- Edit: From what I can tell so far, the security issue is fixed. However, we automatically convert URLs to hyperlinks in posts. And since the EidoGo player no longer allows html, you see the verbose URL, with the automatically converted text. For example: Code: The KGS Go Server at <!-- m --><a class="postlink" href="http://www.gokgs.com/">http://www.gokgs.com/</a><!-- m --> I'll see about fixing this bit. |
|
| Author: | Kirby [ Tue Apr 05, 2016 11:31 pm ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Okay, fixed the URLs. AFAIK, the security vulnerability is addressed, and the URLs still show up properly when you have a URL location. I believe the behavior is the same as before for all eidogo options on the site (sgf, sgf-problem, sgf-small tags, etc.). I've tested this out a little bit, and haven't found anything unusual. If anybody finds any other bugs in the player, let me know, and I will try to fix it. |
|
| Author: | uPWarrior [ Wed Apr 06, 2016 2:33 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Good job Kirby. |
|
| Author: | Kirby [ Wed Apr 06, 2016 8:28 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up. Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight. |
|
| Author: | DrStraw [ Wed Apr 06, 2016 8:33 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
I accessed it okay. |
|
| Author: | xed_over [ Wed Apr 06, 2016 9:20 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Kirby wrote: FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up. Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight. This is probably the age old problem of too many posts per page -- try reducing the number of posts per page to something like 10 -- or see if you can debug and fix the bug (perhaps DB related, cause it seems to go away for a while after the hosting company restarts their shared DB (only a guess on my part)). |
|
| Author: | Kirby [ Wed Apr 06, 2016 10:31 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
xed_over wrote: Kirby wrote: FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up. Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight. This is probably the age old problem of too many posts per page -- try reducing the number of posts per page to something like 10 -- or see if you can debug and fix the bug (perhaps DB related, cause it seems to go away for a while after the hosting company restarts their shared DB (only a guess on my part)). OK. I'll take a look. Glad that it's not a problem with everybody. Another thing I noticed is that the vulnerability after half applying their patch (I modified it a little bit) seems to be gone with Chrome and IE, but I still saw it using the Edge browser that comes with Windows 10. Not sure why, yet, but again, it'll be sometime tonight before I look. |
|
| Author: | Bonobo [ Wed Apr 06, 2016 10:37 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Kirby, what about perhaps checking this related github thread and getting in touch with yewang (same user as YeGo here, I assume) and perhaps others there? |
|
| Author: | Kirby [ Wed Apr 06, 2016 11:19 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Bonobo wrote: Kirby, what about perhaps checking this related github thread and getting in touch with yewang (same user as YeGo here, I assume) and perhaps others there? Yeah, I might do that. Looking at the diff of the files, it looks like they just did two things in the patch: 1. Replace some characters that can be used for code injection (e.g. ">", "<") with the equivalent html codes. 2. Replaced calls to eval with JSON.parse, IIRC. There were other differences unrelated to the patch, since the base version was different from what we use on this site. So I only applied the two changes they had here (then there was the issue of links being expanded in the game info, which I fixed separately). So intuitively, I don't know why it would make a difference between browsers if #1 is being done, above. But I'll take a closer look tonight. If it's still a problem, I might end up contacting them. |
|
| Author: | Kirby [ Wed Apr 06, 2016 11:21 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Sorry, scratch that. After double checking, the vulnerability seems fixed even with the edge browser I was seeing the problem on earlier. So maybe my browser just had the old javascript cached. So as far as I know, the vulnerability is really fixed. But I'll still take a look at the long page loads tonight (probably an unrelated issue). |
|
| Author: | Bonobo [ Wed Apr 06, 2016 11:38 am ] |
| Post subject: | Re: EidoGo Security Vulnerability Alert |
Thanks for your work, Kirby! |
|
| Page 2 of 3 | All times are UTC - 8 hours [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|