-
Notifications
You must be signed in to change notification settings - Fork 346
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c700cbd
commit 64339ff
Showing
1 changed file
with
56 additions
and
0 deletions.
There are no files selected for viewing
56 changes: 56 additions & 0 deletions
56
advisories/github-reviewed/2024/12/GHSA-xx95-62h6-h7v3/GHSA-xx95-62h6-h7v3.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-xx95-62h6-h7v3", | ||
| "modified": "2024-12-26T20:20:12Z", | ||
| "published": "2024-12-26T20:20:12Z", | ||
| "aliases": [ | ||
| "CVE-2024-56361" | ||
| ], | ||
| "summary": "lgsl Stored Cross-Site Scripting vulnerability", | ||
| "details": "### Summary\n\nA stored cross-site scripting (XSS) vulnerability was identified in lgsl. The issue arises from improper sanitation of user input. Everyone who accesses this page will be affected by this attack.\n\n### Details\n\nThe function `lgsl_query_40` in `lgsl_protocol.php` has implemented an HTTP crawler. This function makes a request to the registered game server, and upon crawling the malicious `/info` endpoint with our payload, will render our javascript on the info page. This information is being displayed via `lgsl_details.php`\n\n#### Affected Code:\n```php\n foreach ($server['e'] as $field => $value) {\n $value = preg_replace('/((https*:\\/\\/|https*:\\/\\/www\\.|www\\.)[\\w\\d\\.\\-\\/=$?]*)/i', \"<a href='$1' target='_blank'>$1</a>\", html_entity_decode($value));\n $output .= \"\n <tr><td> {$field} </td><td> {$value} </td></tr>\";\n }\n```\n### PoC\n\n1. Create a game server with type `eco` and set the target host and port accordingly to your ttack server. I have crafted this json payload that is being parsed according to the schema and being served on `/info` \n\n2. Serve the following JSON payload at `/info` on your handler\n```json\n{\n \"Animals\": \"1\",\n \"EconomyDesc\": \"<img src=x onerror=prompt(1)>\"\n}\n```\n3. Access the corresponding server info page at `/s?=`. Upon refreshing & crawling our server, it should execute our javascript.\n\n", | ||
| "severity": [], | ||
| "affected": [ | ||
| { | ||
| "package": { | ||
| "ecosystem": "Packagist", | ||
| "name": "tltneon/lgsl" | ||
| }, | ||
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "7.0.0" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ], | ||
| "references": [ | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/tltneon/lgsl/security/advisories/GHSA-xx95-62h6-h7v3" | ||
| }, | ||
| { | ||
| "type": "WEB", | ||
| "url": "https://github.com/tltneon/lgsl/commit/3fbd3bb581b636f7fd3ea0592c5f8df87d3a2843" | ||
| }, | ||
| { | ||
| "type": "PACKAGE", | ||
| "url": "https://github.com/tltneon/lgsl" | ||
| } | ||
| ], | ||
| "database_specific": { | ||
| "cwe_ids": [ | ||
| "CWE-79" | ||
| ], | ||
| "severity": "HIGH", | ||
| "github_reviewed": true, | ||
| "github_reviewed_at": "2024-12-26T20:20:12Z", | ||
| "nvd_published_at": null | ||
| } | ||
| } |