Does anyone have a way of communicating with sybob? I hope someone can inform him that his leaving the forum was a bit...premature.

While saying that this <i>absolutely</i> should be patched, and the patch needs to be made upstream as well, let me try and put the problem in perspective (I am a developer, but not a security guy, so if anyone can improve on what I say, go ahead...)

It's true that there are ways out of the browser's sandbox that can triggered using JavaScript, there may also be ways out using simple <i>images</i>. So forget L19, don't browse any website that let users upload images. But in any case, browser sandboxes are getting quite good, to the extent that exploits using them are sold on the black market for lots of money. And these exploits are being patched quite quickly these days, if you're not stuck on an ancient version of IE. There are almost certainly such vulnerabilities being exploited today, but it's not the days when any old idiot could find vulnerabilities posted on the web.

Second, JavaScript injection is not a rare vulnerability. I think things are getting better, but there are surely other sites you visit that are vulnerable. If you're worried by the Eidogo injection enough to not visit this website, you should turn off JavaScript entirely for your browser, or use an extension like NoScript that lets you selectively whitescript sites (I believe the good Robert Jasiek does the former). Advertising networks, for instance, are essentially mass-market JavaScript injectors, and they are routinely compromised and used to deliver exploits.

_________________
Occupy Babel!

Why don't we just apply the patch on L19? It looks like they made a fix, right?

Does somebody want me to do this?

_________________
be immersed

That seems like a silly question. If you can do it why has it not been done already?

_________________
Still officially AGA 5d but I play so irregularly these days that I am probably only 3d or 4d over the board (but hopefully still 5d in terms of knowledge, theory and the ability to contribute).

Because I was at work.

Also, today, Bonobo flagged this thread, so it's the first time I paid much attention to it.

I will take a look tonight.

Playing hide and seek with the kids at the moment, and they haven't found me, yet

_________________
be immersed

Also, kind of hoping for a discussion since it seems there are multiple solutions here (apply their fix, use a different app as Bonobo suggested, etc.).

_________________
be immersed

Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done.

_________________
Still officially AGA 5d but I play so irregularly these days that I am probably only 3d or 4d over the board (but hopefully still 5d in terms of knowledge, theory and the ability to contribute).

I'd say patch eidogo, if the patch looks sane.

_________________
Occupy Babel!

I dunno. I vaguely seem to recall this being discussed, but I was probably busy at the time. These days, it'll take me a couple of hours to even write a post that's a couple of sentences long (write a little bit - go back to doing something back at work - go to a meeting - come back to the post, etc.). I wasn't intentionally ignoring it, but when Bonobo flagged the post, I read it more carefully.

Anyway, I'll go ahead and update it now. I'll post again when it's done.

_________________
be immersed

Are you the only one able to do it? If so, it seems that we are short on manpower.

_________________
Still officially AGA 5d but I play so irregularly these days that I am probably only 3d or 4d over the board (but hopefully still 5d in terms of knowledge, theory and the ability to contribute).

Other people can do it, too. Looking back at this thread, though, probably some of the other admins thought that there was no problem - Uberdude posted an example where it appeared to be fixed. But thanks to YeGO, he showed us that the problem really wasn't fixed. He showed us that today.

And I believe that I fixed it now. I'm double checking some other posts that use EidoGo. If it's really not fixed, let me know, and I'll respond to it promptly.

---
Edit:
From what I can tell so far, the security issue is fixed. However, we automatically convert URLs to hyperlinks in posts. And since the EidoGo player no longer allows html, you see the verbose URL, with the automatically converted text.

For example:


I'll see about fixing this bit.

_________________
be immersed

Okay, fixed the URLs. AFAIK, the security vulnerability is addressed, and the URLs still show up properly when you have a URL location. I believe the behavior is the same as before for all eidogo options on the site (sgf, sgf-problem, sgf-small tags, etc.).

I've tested this out a little bit, and haven't found anything unusual. If anybody finds any other bugs in the player, let me know, and I will try to fix it.

_________________
be immersed

Good job Kirby.

FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up.

Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight.

_________________
be immersed

I accessed it okay.

_________________
Still officially AGA 5d but I play so irregularly these days that I am probably only 3d or 4d over the board (but hopefully still 5d in terms of knowledge, theory and the ability to contribute).

This is probably the age old problem of too many posts per page -- try reducing the number of posts per page to something like 10 -- or see if you can debug and fix the bug (perhaps DB related, cause it seems to go away for a while after the hosting company restarts their shared DB (only a guess on my part)).

OK. I'll take a look. Glad that it's not a problem with everybody.

Another thing I noticed is that the vulnerability after half applying their patch (I modified it a little bit) seems to be gone with Chrome and IE, but I still saw it using the Edge browser that comes with Windows 10.

Not sure why, yet, but again, it'll be sometime tonight before I look.

_________________
be immersed

Kirby, what about perhaps checking this related github thread and getting in touch with yewang (same user as YeGo here, I assume) and perhaps others there?

_________________
“The only difference between me and a madman is that I’m not mad.” — Salvador Dali ★ Play a slooooow correspondence game with me on OGS?

Yeah, I might do that. Looking at the diff of the files, it looks like they just did two things in the patch:
1. Replace some characters that can be used for code injection (e.g. ">", "<") with the equivalent html codes.
2. Replaced calls to eval with JSON.parse, IIRC.

There were other differences unrelated to the patch, since the base version was different from what we use on this site. So I only applied the two changes they had here (then there was the issue of links being expanded in the game info, which I fixed separately). So intuitively, I don't know why it would make a difference between browsers if #1 is being done, above. But I'll take a closer look tonight.

If it's still a problem, I might end up contacting them.

_________________
be immersed

Sorry, scratch that. After double checking, the vulnerability seems fixed even with the edge browser I was seeing the problem on earlier. So maybe my browser just had the old javascript cached.

So as far as I know, the vulnerability is really fixed. But I'll still take a look at the long page loads tonight (probably an unrelated issue).

_________________
be immersed

Thanks for your work, Kirby!

_________________
“The only difference between me and a madman is that I’m not mad.” — Salvador Dali ★ Play a slooooow correspondence game with me on OGS?