EidoGo Security Vulnerability Alert

[sybob]

It has the potential to corrupt the users machine, but I would think that unlikely. The potential exists.
...
I think this is unlikely because it would require a) a random attacker to target eidogo, b) a knowledgeable attacker to target a site where XSS is possible (e.g., this site), c) unpatched browsers. I don't think this is a tempting enough target given the amount of work required, but is it possible? I would say definitely.

Well, it may be unlikely, but I am not interested in likelyhood and probabilities, and want to know what it means to me in my actual situation.
Chances about recovery from a disease may be true, but if I'm the patient, I wonder what it does TO ME, having a 50/50 chance of recovery or not.
And because I operate in a very delicate line of business, I don't like this very much. AT ALL!

More exotic targets than go players were under attack. But if you don't know the user base of this forum, extensive and in detail, this still sounds to me to be a major thing.

[sybob]

For our L19 admins demigods: couldn’t perhaps Ilya Kirillov’s wonderful HTML5 Web Go Board extension/code be something to integrate here? I use it all the time and I LOVE it, and BTW it was there where I found the code (clicked the SGF link, another tab opened with the Web Go Board—and the code as comment at the beginning.

Thanks for the edutainment (if it weren‘t so sad)

Kosmonaut has been very busy developing his web go board, which is very much appreciated. Perhaps because of that, he still has not been able to answer some vulnerability/security questions I asked him long time ago.

[sybob]

Does this vulnerability occur if you just browse this forum?
Or is it necessary that Eidogo runs within the browser (either from within this site or as a separate instance) for this vulnerability to become apparent?
Anyone knows?

[sybob]

... then no amount of common sense can protect the end user.

So, this is my last visit here.
Thank you all, bye.

[DrStraw]

... then no amount of common sense can protect the end user.

So, this is my last visit here.
Thank you all, bye.

What are you worried about if you don't click on any eidogo links?

[hyperpape]

Does anyone have a way of communicating with sybob? I hope someone can inform him that his leaving the forum was a bit...premature.

While saying that this <i>absolutely</i> should be patched, and the patch needs to be made upstream as well, let me try and put the problem in perspective (I am a developer, but not a security guy, so if anyone can improve on what I say, go ahead...)

It's true that there are ways out of the browser's sandbox that can triggered using JavaScript, there may also be ways out using simple <i>images</i>. So forget L19, don't browse any website that let users upload images. But in any case, browser sandboxes are getting quite good, to the extent that exploits using them are sold on the black market for lots of money. And these exploits are being patched quite quickly these days, if you're not stuck on an ancient version of IE. There are almost certainly such vulnerabilities being exploited today, but it's not the days when any old idiot could find vulnerabilities posted on the web.

Second, JavaScript injection is not a rare vulnerability. I think things are getting better, but there are surely other sites you visit that are vulnerable. If you're worried by the Eidogo injection enough to not visit this website, you should turn off JavaScript entirely for your browser, or use an extension like NoScript that lets you selectively whitescript sites (I believe the good Robert Jasiek does the former). Advertising networks, for instance, are essentially mass-market JavaScript injectors, and they are routinely compromised and used to deliver exploits.

[Kirby]

Why don't we just apply the patch on L19? It looks like they made a fix, right?

Does somebody want me to do this?

[DrStraw]

Why don't we just apply the patch on L19? It looks like they made a fix, right?

Does somebody want me to do this?

That seems like a silly question. If you can do it why has it not been done already?

[Kirby]

Because I was at work.

Also, today, Bonobo flagged this thread, so it's the first time I paid much attention to it.

I will take a look tonight.

Playing hide and seek with the kids at the moment, and they haven't found me, yet

[Kirby]

Also, kind of hoping for a discussion since it seems there are multiple solutions here (apply their fix, use a different app as Bonobo suggested, etc.).

[DrStraw]

Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done.

[hyperpape]

I'd say patch eidogo, if the patch looks sane.

[Kirby]

Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done.

I dunno. I vaguely seem to recall this being discussed, but I was probably busy at the time. These days, it'll take me a couple of hours to even write a post that's a couple of sentences long (write a little bit - go back to doing something back at work - go to a meeting - come back to the post, etc.). I wasn't intentionally ignoring it, but when Bonobo flagged the post, I read it more carefully.

Anyway, I'll go ahead and update it now. I'll post again when it's done.

[DrStraw]

Well, I meant why was it not done when this was first raised a while back. But it doesn't matter as long as it gets done.

I dunno. I vaguely seem to recall this being discussed, but I was probably busy at the time. These days, it'll take me a couple of hours to even write a post that's a couple of sentences long (write a little bit - go back to doing something back at work - go to a meeting - come back to the post, etc.). I wasn't intentionally ignoring it, but when Bonobo flagged the post, I read it more carefully.

Anyway, I'll go ahead and update it now. I'll post again when it's done.

Are you the only one able to do it? If so, it seems that we are short on manpower.

[Kirby]

Are you the only one able to do it?

Other people can do it, too. Looking back at this thread, though, probably some of the other admins thought that there was no problem - Uberdude posted an example where it appeared to be fixed. But thanks to YeGO, he showed us that the problem really wasn't fixed. He showed us that today.

And I believe that I fixed it now. I'm double checking some other posts that use EidoGo. If it's really not fixed, let me know, and I'll respond to it promptly.

---
Edit:
From what I can tell so far, the security issue is fixed. However, we automatically convert URLs to hyperlinks in posts. And since the EidoGo player no longer allows html, you see the verbose URL, with the automatically converted text.

For example:

Code: Select all

The KGS Go Server at <!-- m --><a class="postlink" href="http://www.gokgs.com/">http://www.gokgs.com/</a><!-- m -->

I'll see about fixing this bit.