Forged Alliance Forever

Re: XSS vulnerability in the units database.

2016-03-21T16:49:26+02:00

Legion Darrath wrote:
This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.

Chrome blocks it because they detect XSS most of the time, if you open devtools it will say that it blocked it.

Statistics: Posted by aw9pf8b9344hh — 21 Mar 2016, 16:49

Re: XSS vulnerability in the units database.

2016-03-20T14:12:46+02:00

This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.

Statistics: Posted by Legion Darrath — 20 Mar 2016, 14:12

XSS vulnerability in the units database.

2016-03-20T14:00:45+02:00

I was playing around with the units database and noticed that you could enter whatever you want into the url and it would show on the page, meaning I could execute javascript which can be pretty nasty.

I created an example link below; (Copy/paste into Firefox, Chrome blocks the execution because chrome is smart)
http://www.faforever.com/faf/unitsDB/un ... /script%3E
(This just prints "1337" to the screen and isn't malicious, but a lot of stuff could be done with this.)

Hope this gets fixed soon.

Thanks.

Statistics: Posted by aw9pf8b9344hh — 20 Mar 2016, 14:00