|
| 10 Jan 2015 10:59 PM |
tl;dr big security problem in Studio, read last paragraph to fix
Hello, I am an OWASP and CIESSP and CEHE and Offensive Security certified pennatester.
After buffering the overflows of EIP I have discovered a critical SQL injection vulnerability in Roblox Studio.
If you use cURL to pass a malicious CSRF token on OSI level 4, you are able to hijack anyone's Studio session if they are in Studio and the cookie has updated that they are in Studio on their user page. This means a man in the endzone attack.
To prevent this, go to ServerScriptService in Studio and check 'LoadStringEnabled', it has the side effect of adding a new memory pointer to AD838 based on 2's complement system, and will basically secure you. |
|
|
| Report Abuse |
|
|
ripint
|
  |
| Joined: 28 Mar 2009 |
| Total Posts: 11198 |
|
| |
|
|
| 10 Jan 2015 11:01 PM |
I understand a skid like you might not understand the advanced concepts layed out in the OP, Ripint.
Study metatablets and you'll be good. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:02 PM |
| I feel like you used a lot of googling to write this. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:02 PM |
"I feel like you used a lot of googling to write this."
If you weren't so stupid you could clearly see the certifications I have. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:02 PM |
| i feel like this isnt a serious thread |
|
|
| Report Abuse |
|
|
byancat
|
  |
| Joined: 18 Jun 2014 |
| Total Posts: 196 |
|
|
| 10 Jan 2015 11:03 PM |
| All I understood was "cookie". |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:03 PM |
"I feel like you used a lot of googling to write this."
"If you weren't so stupid you could clearly see the certifications I have."
Yes because using Roblox Studio will get you a lot in life.
"Hey guys I'm a pro at roblox studio, look at me I use big words to help my self-esteem."
Check yourself. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:03 PM |
"i feel like this isnt a serious thread"
If anyone in Atlas Armada knew what they were doing, you could show them this and they'd actually understand. But no, AA is a clan for idiots. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:04 PM |
"Yes because using Roblox Studio will get you a lot in life."
Those are pennatesting certifications you moron, that means HACKING.
"look at me I use big words to help my self-esteem"
You only perceive them as big words because you're too much of a dumbass to understand any of them. |
|
|
| Report Abuse |
|
|
xMaleden
|
  |
| Joined: 22 Dec 2010 |
| Total Posts: 2542 |
|
|
| 10 Jan 2015 11:06 PM |
| No one would go through the trouble of all that for roblox. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:07 PM |
"No one would go through the trouble of all that for roblox."
I know you're stupid as you lead EL (a clan for morons), but I'm actually a certified pennatester so I use Roblox to practice discovering vulnerabilities via forward engineering and fuzzing. |
|
|
| Report Abuse |
|
|
xMaleden
|
  |
| Joined: 22 Dec 2010 |
| Total Posts: 2542 |
|
|
| 10 Jan 2015 11:09 PM |
| Roblox Studio doesn't use SQL on the client. Screw off bby. ;) |
|
|
| Report Abuse |
|
|
| |
|
|
| 10 Jan 2015 11:11 PM |
"Roblox Studio doesn't use SQL on the client. Screw off bby. ;)"
I know you're a pretty big ass moron, but Roblox uses not only CPython for networking (interfacing with C++), but also JPython and JPython actually has a library which uses SQL databases for rendering reasons. So, get out. |
|
|
| Report Abuse |
|
|
SLPM
|
  |
| Joined: 02 Apr 2010 |
| Total Posts: 33349 |
|
|
| 10 Jan 2015 11:11 PM |
im scared
<->Truth has no reason to hide for it has the pride of a lion<-> |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:12 PM |
| Enable LoadString and you'll be fine. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:13 PM |
| the bait and the morons falling for it are real |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:15 PM |
"All I understood was "cookie"."[2]
Asuna is our one true goddess |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:15 PM |
I'm a pen tester, as well.
~Only when no human lives, will there be eternal peace. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:16 PM |
| It's pennatester dumbass we aren't testing pens. |
|
|
| Report Abuse |
|
|
|
| 10 Jan 2015 11:18 PM |
lol leave
yar!!! scurvy land lubbers! |
|
|
| Report Abuse |
|
|
fault0
|
  |
| Joined: 26 Oct 2014 |
| Total Posts: 817 |
|
| |
|
| |
|
SecutorIV
|
  |
| Joined: 13 Jun 2010 |
| Total Posts: 11516 |
|
|
| 10 Jan 2015 11:20 PM |
| How do you become a pen tester. |
|
|
| Report Abuse |
|
|