Maple dot Fm vulnerability
[Patched 8:55 PM PST]
https://www.youtube.com/watch?v=ZNCMKGMOGDI
https://www.youtube.com/watch?v=ABb6iUTUfIA
Avoid loading shop titles with any script tags as they will run. (There's probably hacks to bypass title limit so who knows how far people will take this )
Fun for pranking friends (it's not a bannable offense to put scripts as your shop name)
Test mule is in Windia:
Type in "ksidnas" in the search bar and hover over the shop name to experience the magic
September 18, 2015
35 Comments • Newest first
[quote=zcrimsyn]@funkyflame: LOL you're the stupid one because you can go to jail for a federal crime. That being said you can also go to jail for downloading illegal music and such just like the TS corrected me on. That doesn't mean you will go to jail that just means it's a possibility you will. Stop trying to start unnecessary arguments because this convo was peaceful until you decided to put in your two cents in with name calling.[/quote]
You [b]will not[/b] go to jail for posting a script in your shop in an online game. I would hardly call it a possibility. I found your post amusing, unnecessary and yes, quite stupid. Also I highly highly doubt you would be prosecuted if a botter (that's breaking the TOS) would "copy" the name of your shop and input it on their own site. How this even could lead to anything worth going to jail for, I do not know.
I'm sure you can get in trouble for similar acts on the internet, but posting it in your shop on Maplestory? No way, don't be silly.
Have to give props to @Pastewrong for finding this. Was quite amusing to the team; will be fixing the html encoding later.
Edit: Encoding fixed.
nyannyan.
https://www.youtube.com/watch?v=QH2-TGUlwu4
[quote=timberwolf10]Thank you for the reports, this is now fixed.
I shall miss the nyan cat though.[/quote]Pretty swift, well done Tyler.
Edit:
Lol everything is html encoded now:
B&.gt; clean slates
I &.lt;3 my guild (used a dot to avoid basil from rendering the codes as html)
But the tooltip popup displays proper characters. I think somewhere in the libraries that tooltip stuff uses eval expressions instead of .textContent to set the content.
Thank you for the reports, this is now fixed.
I shall miss the nyan cat though.
@thomas1985 LMFAO NICE
@thomas1985:
Edit:
LOL never mind misread your intentions
Dat .js file...
@thomas1985: Figured as much, just wanted assurance.
Thanks
[quote=icephoenix21]So, who's at fault here.
Nexon, or Tyler (the owner of the fm site).[/quote]The site, as Nexon never signed up for people using bots to collect fm data. Nexon can't be blamed for someone taking data from them and using it in a way they never could've predicted (putting it on a website, without proper processing).
Lol: http://oi60.tinypic.com/9vkwut.jpg
So, who's at fault here.
Nexon, or Tyler (the owner of the fm site).
@funkyflame: LOL you're the stupid one because you can go to jail for a federal crime. That being said you can also go to jail for downloading illegal music and such just like the TS corrected me on. That doesn't mean you will go to jail that just means it's a possibility you will. Stop trying to start unnecessary arguments because this convo was peaceful until you decided to put in your two cents in with name calling.
I can see how something simple as this might blow up and be something worse
[quote=zcrimsyn]@rachelll: Ah my mistake but being illeal against federal laws is a bit worse don't you think? Would be silly to go to prison for messing with something dumb like this.[/quote]
Don't be stupid, going to jail for something like this? smh.
@zeurth: This doesn't seem at the same level as hacking. It's more simple exploitation, and the only flaw in design being exploited is that user generated data isn't being html-decoded before displaying.
[b]Edit:[/b] I think this is blocked. I thought the code for this already existed, but looking at the code now, there's definitely a lot of code against this.
[quote=zeurth]L m a o
It hacks the community, not the people actually hacking.
But okay.[/quote]Sure, technically you are correct, although it's just a matter of perspective. I was just pointing out the irony of the fact that the "website-that-shall-not-be-named" uses hacks/vulnerabilities to provide their service and are now suffering from a vulnerability themselves. In my point of view it's a hack on the website's systems because that's where the vulnerability lies, whoever suffers as a result of that is a bit further down the road.
[quote=thomas1985]Lol it's not hacking, and certainly not in regards to Maplestory or Nexon. It's the hacking "source" of mentioned website that illegally harvests and processes the information from the fm with bots. So in some way it's more like hacking the hacker, which is ok in the eyes of many governments these days -_-.[/quote]
L m a o
It hacks the community, not the people actually hacking.
But okay.
[quote=rachelll]If you're doing just a alert box, it's as illegal as pirating music (maybe even less illegal). As long as you're not typing in blocks of code trying to steal data[/quote]
Ah okay gotcha. Then yea nothing probably would happen. Though Im sure technically it's against the rules still. Just the chances are almost zero to be banned from it.
@littletlk: If it's any consolation, Nexon didn't do this kind of thing with text chairs. That's where all the fancy text chair tricks came from. Nexon lazy-patched it during a major update, then quietly properly fixed it in a minor update. I know this problem isn't related to Nexon - it's related to webpages which use text data from the game. Just noting another situation...
[quote=zcrimsyn]@rachelll: Ah my mistake but being illeal against federal laws is a bit worse don't you think? Would be silly to go to prison for messing with something dumb like this.[/quote]
If you're doing just a alert box, it's as illegal as pirating music (maybe even less illegal). As long as you're not typing in blocks of code trying to steal data
@rachelll: Ah my mistake but being illeal against federal laws is a bit worse don't you think? Would be silly to go to prison for messing with something dumb like this.
They seriously didn't do any input cleaning in their code?
When I did my webdesign class, one of the first things we learned when using SQL/javascript was to use the htmlspecialchars() function to prevent this nonsense.
[quote=zcrimsyn]Messing with anything with the game files and or scripts or w/e is a bannable offense. They probably won't ban you but to say that it's 100% legit is just silly. You're "hacking" whether or not you believe it.[/quote]Lol it's not hacking, and certainly not in regards to Maplestory or Nexon. It's the hacking "source" of mentioned website that illegally harvests and processes the information from the fm with bots. So in some way it's more like hacking the hacker, which is ok in the eyes of many governments these days -_-.
[quote=zcrimsyn]Messing with anything with the game files and or scripts or w/e is a bannable offense. They probably won't ban you but to say that it's 100% legit is just silly. You're "hacking" whether or not you believe it.[/quote]
You're not messing with game files. This not a bannable offense according to the ToS of Nexon....just illegal by federal laws. Nowhere did I say it was 100% legit
Yes it is "hacking" if you want to use that term loosely
This is only a problem if a webpage loads the title in without decoding it. You could make some nasty stuff with this though. I found the website's twitter and told them - lets hope they check it. Illegitimate site or not, bad things could be done there, and a fix is required.
Messing with anything with the game files and or scripts or w/e is a bannable offense. They probably won't ban you but to say that it's 100% legit is just silly. You're "hacking" whether or not you believe it.
Instead of posting here, you could tell the web developer to run html decoding on all incoming user-generated data.
[quote=rachelll]Depends on the use and country you live in. You could use it to steal cookies and hijack sessions with javascript which is completely illegal.
This is a persistent XSS so user don't need to click any link to run the script. Just view it then it'll run[/quote]
The code only seems to run when it get's a mouse hover, as that's where they use javascript's eval function to show the shopname as pop-up. That makes the risk quite a bit smaller already. Nonetheless: using eval is a horrible offense for any programmer.
If the shop title allows enough characters someone could load a external javascript too, which can contain a lot more (serious malicious) code. Matter of using url shorteners and as little code as possible.
so my suspicion was correct. every time i see links on title of a store, i ignore it.
nexon plz
dank
@rachelll: ah wow, i'll be careful with it then. maybe contact the team that runs mapledotfm? this could get them in lots of trouble!
[quote=rate]would this be against the rules, or is there any relative use for this?[/quote]
Depends on the use and country you live in. You could use it to steal cookies and hijack sessions with javascript which is completely illegal.
This is a persistent XSS so user don't need to click any link to run the script. Just view it then it'll run
I chuckled
would this be against the rules, or is there any relative use for this?
inb4 rollback