πŸ‘€ Registered Users

πŸ“‹ 0.6.1 Security Update

Topic Flair: Tutorial
Total Votes: 0

The Exploit
Three days ago, a Cross-site scripting (XSS) exploit was discovered in the game chat that could lead to links executing game commands if you interacted with the link in any way (even just hovering over it), screwing up your game. This particular exploit only allowed for execution of ElDewrito commands - they only had access to commands that could be run normally through the console. However, the exploit could have been used in a more malicious manner. Within ten minutes of discovering the exploit, we had globally disabled chat for everyone to prevent anyone from coming across such links.

While we make every effort to audit every piece of code that goes into the project. It is open source and anyone can contribute so things can get lost in the sea of code. We’ve gone through and made certain that this exploit cannot occur again and we have a contingency plan in place should that ever happen on any part of the ui that doesn’t resort to disabling it for everyone.

The Patch
While we currently can’t make feature updates to the game, we must release this security patch in order to protect players from these exploits. We have alerted 343 of the situation. Bottom line: The safety and security of the players is of utmost importance to us and we cannot let these exploits remain active. Since many people still play this game, we have to remain accountable and as professionals, we have the responsibility to keep those players safe from harmful attacks by fixing the exploits.

This patch will fix all XSS vulnerabilities as well as a couple of other vulnerabilities that thankfully nobody had discovered yet. Once you update, chat will automatically be re-enabled and you can rest assured that you are safe from any sort of attacks. No tag or resource/asset changes are included in this patch whatsoever, so if you have tag mods installed, you should still be able to successfully update.

This patch will also include security-related items that were written before April 24th.
Continue Reading -- Run updater.exe from any version of 0.6 ElDewrito

Unique Views: 312
TheDarkConduit posted this Friday 22nd of June 2018 10:34:40 PM

💬 0 Responses

No responses yet.

Login first to respond.