• Search
  • Register
  • Log in
  • Ace of Spades Game Forums » Help
  • Note: This forum is merely an archive. It is no longer possible to login or register. - StackOverflow
    New Ace of Spades Forums: http://buildandshoot.com/
  • DANGER
  •  

    Arbitrary javascript can be executed on the 'Play' page of the site by editing the server name in pyspades ie;

    in config file change server name to "<script>alert('oo');</script>"

    This could be exploited further.

    #26040
    Tingle
    Member
    Posted 13 years ago
     

    See thread "what the holy" (why do people posting about this not post useful thread titles?). Also, you could mail Ben (I already did) and the pyspades developers, instead of announcing to the entire world how to do the exploit.

    #26043
    nothings
    Member
    Posted 13 years ago
     

    This is true. I thought Ben knew something about web development, and that he would escape the server name, but apparently not :( There's not much we (the pyspades developers) can do apart from uploading a new win32 build that escapes it automatically, but the old build is still out, so wait for Ben to fix it.

    #26048
    mat^2
    pyspades developer
    Posted 13 years ago
     

    Whoever that ugly person is in the links now, I hope we can get rid of him soon... this is ridiculous.

    Frankly, I'd love an update that made PySpades stop working entirely. It's hard-to-use and frequently abused. Lexsym's ServerBot system is far superior, as are vanilla servers.

    #26075
    1337101
    Modifier
    Posted 13 years ago
     

    It's not PySpades fault you know. There is no filtering of server names on the site so anything goes.

    And you can't blame something just because you don't know how to use it. It's like you're mad at your bike because you don't know how to ride it.

    #26095
    Szuwar
    Member
    Posted 13 years ago
     

    It least it has drawn attention. Not everyone has NoScript installed, and yes, this is a server side problem not a problem with pyspades. ALL user input should be sanitised. Rule #1

    #26112
    Tingle
    Member
    Posted 13 years ago
     

    1337101: What are you talking about? This is not pyspades' fault (and I'm not going to get into how 'hard' it is to download a zip file and extract it).

    In any case, this is a major bug from Ben's side, and we can't do anything before he fixes it.

    #26153
    mat^2
    pyspades developer
    Posted 13 years ago
    RSS feed for this topic  

    Reply

    You must log in to post.

  • Tags
  •  

  •  
    Ace of Spades Game Forums is proudly powered by bbPress.   //   Theme by Mike Lothar  
    [ Time : 0.043s | 13 Queries ]