I was playing around with the units database and noticed that you could enter whatever you want into the url and it would show on the page, meaning I could execute javascript which can be pretty nasty.
I created an example link below; (Copy/paste into Firefox, Chrome blocks the execution because chrome is smart)
http://www.faforever.com/faf/unitsDB/un ... /script%3E
(This just prints "1337" to the screen and isn't malicious, but a lot of stuff could be done with this.)
Hope this gets fixed soon.
Thanks.
This forum is archived and read only.
Please move to the new forum!
- It is currently 07 Apr 2021, 00:28
Forged Alliance Forever
Forged Alliance Forever Forums
XSS vulnerability in the units database.
3 posts
• Page 1 of 1
XSS vulnerability in the units database.
by aw9pf8b9344hh » 20 Mar 2016, 14:00
- aw9pf8b9344hh
- Posts: 2
- Joined: 20 Mar 2016, 13:48
- Has liked: 0 time
- Been liked: 0 time
- FAF User Name: aw9pf8b9344hh
Re: XSS vulnerability in the units database.
by Legion Darrath » 20 Mar 2016, 14:12
This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.
- Legion Darrath
- Evaluator
- Posts: 693
- Joined: 03 Oct 2011, 19:50
- Has liked: 7 times
- Been liked: 117 times
- FAF User Name: Legion_Darrath
Re: XSS vulnerability in the units database.
by aw9pf8b9344hh » 21 Mar 2016, 16:49
Legion Darrath wrote:This doesn't seem to work on Chrome but it does do what you described when testing on Firefox.
Chrome blocks it because they detect XSS most of the time, if you open devtools it will say that it blocked it.
- aw9pf8b9344hh
- Posts: 2
- Joined: 20 Mar 2016, 13:48
- Has liked: 0 time
- Been liked: 0 time
- FAF User Name: aw9pf8b9344hh
3 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest