EidoGo Security Vulnerability Alert

[Kirby]

Okay, fixed the URLs. AFAIK, the security vulnerability is addressed, and the URLs still show up properly when you have a URL location. I believe the behavior is the same as before for all eidogo options on the site (sgf, sgf-problem, sgf-small tags, etc.).

I've tested this out a little bit, and haven't found anything unusual. If anybody finds any other bugs in the player, let me know, and I will try to fix it.

[uPWarrior]

Good job Kirby.

[Kirby]

FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up.

Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight.

[DrStraw]

I accessed it okay.

[xed_over]

FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up.

Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight.

This is probably the age old problem of too many posts per page -- try reducing the number of posts per page to something like 10 -- or see if you can debug and fix the bug (perhaps DB related, cause it seems to go away for a while after the hosting company restarts their shared DB (only a guess on my part)).

[Kirby]

FYI, this morning when I try to access page 1 of this thread, I get a timeout. Other pages appear to work fine. Last night, when I checked the EidoGo vulnerability, I was able to access page 1, so not sure what's up.

Hopefully, the problem goes away, but I'll take a more detailed look when I get home tonight.

This is probably the age old problem of too many posts per page -- try reducing the number of posts per page to something like 10 -- or see if you can debug and fix the bug (perhaps DB related, cause it seems to go away for a while after the hosting company restarts their shared DB (only a guess on my part)).

OK. I'll take a look. Glad that it's not a problem with everybody.

Another thing I noticed is that the vulnerability after half applying their patch (I modified it a little bit) seems to be gone with Chrome and IE, but I still saw it using the Edge browser that comes with Windows 10.

Not sure why, yet, but again, it'll be sometime tonight before I look.

[Bonobo]

Kirby, what about perhaps checking this related github thread and getting in touch with yewang (same user as YeGo here, I assume) and perhaps others there?

[Kirby]

Kirby, what about perhaps checking this related github thread and getting in touch with yewang (same user as YeGo here, I assume) and perhaps others there?

Yeah, I might do that. Looking at the diff of the files, it looks like they just did two things in the patch:
1. Replace some characters that can be used for code injection (e.g. ">", "<") with the equivalent html codes.
2. Replaced calls to eval with JSON.parse, IIRC.

There were other differences unrelated to the patch, since the base version was different from what we use on this site. So I only applied the two changes they had here (then there was the issue of links being expanded in the game info, which I fixed separately). So intuitively, I don't know why it would make a difference between browsers if #1 is being done, above. But I'll take a closer look tonight.

If it's still a problem, I might end up contacting them.

[Kirby]

Sorry, scratch that. After double checking, the vulnerability seems fixed even with the edge browser I was seeing the problem on earlier. So maybe my browser just had the old javascript cached.

So as far as I know, the vulnerability is really fixed. But I'll still take a look at the long page loads tonight (probably an unrelated issue).

[Bonobo]

Thanks for your work, Kirby!

[sybob]

Curiosity kills the cat.
I just logged in after my last post. My account was not yet deleted.

I now read it has been properly addressed in the meantime.
Thank you all. I can now again spend numerous hours browsing this forum again

(And it is just a coincidence that my virusscanner intercepted a malicious mail just two minutes ago.)

[KOCMOHABT]

Offtop: If admins of this site would like to embed my board here just pm me [url]kocmohabt.baduk@gmail.com[/url]. As example of embedding http://gokifu.com/s/pb.y. Thank you.

[banet]

Check out the site http://go.ba.net based on eidogo code but with the xss security vulnerability patched.

Boards can be embedded like this

<iframe src=http://go.ba.net/playgo/go-embed.html?sgf=example.sgf>
</iframe>

[YeGO]

Check out the site http://go.ba.net based on eidogo code but with the xss security vulnerability patched.

In your other announcement thread, you said that the vulnerabilities were only "mostly" patched (whatever that means), and based on a quick look, it appears that your javascript is still using eval in a few places to apparently do JSON parsing. Are you sure that you've patched up the XSS vulnerabilities properly?

Also, there seems to be little purpose to linking to your site via an iframe just to use something that is essentially EidoGo, which is already integrated into L19x19. In fact, this could create further security problems, if your site does something malicious or contains unfixed security issues that allows others to do malicious things.

Since your site is based on EidoGo, which is licensed under AGPL requiring derivative works to be open-source under AGPL as well, have you made your modified source code available somewhere (which would be required to comply with the AGPL)?

[banet]

We used the eidogo ui javascript only. We run a different database, and added the SGF xss safety filter at the db level.