generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: Roblox blog is vulnerable to XSS

Previous Thread :: Next Thread 
UnusualDivinity is not online. UnusualDivinity
Joined: 15 Jun 2012
Total Posts: 291
04 Dec 2012 03:24 PM
I'm debating on if i should keep this to my self. Or send it in to the admins. I was messing around with the roblox blog. And sure enough i found a page that's vulnerable to cross site scripting.
Report Abuse
nickmaster24 is not online. nickmaster24
Joined: 04 Oct 2008
Total Posts: 8906
04 Dec 2012 03:26 PM
That's nice.
Report Abuse
Droban is not online. Droban
Joined: 12 Aug 2012
Total Posts: 157
04 Dec 2012 03:32 PM
"Or send it in to the admins."
I think this forum is visited by admins, A LOT. They have enough people working for them for a few of them to test XSS vulnerabilities, I'm sure.
Report Abuse
Droban is not online. Droban
Joined: 12 Aug 2012
Total Posts: 157
04 Dec 2012 03:33 PM
[Continuation of last post:]
So, either you give it out and maybe get a reward, or don't give it out and it get patched anyway. If it's not patched now, it will be eventually. Especially after people start using it.
Report Abuse
coolbob44 is not online. coolbob44
Joined: 26 Nov 2009
Total Posts: 1649
04 Dec 2012 04:14 PM
As far as I know, the portion of the ROBLOX website that the blog is on is run by Wordpress, and the likelihood of there being an XSS vulnerability is minimal.

If you are serious, and not looking for attention, then why didn't you email or send a message to one of the mods?
Report Abuse
Seranok is not online. Seranok
Joined: 12 Dec 2009
Total Posts: 11083
04 Dec 2012 04:20 PM
Even if there is an XSS vulnerability on the blog, the vulnerability would be practically useless, because it's impossible to access user cookies.

So sure, an exploiter could redirect users to his malicious site. Well, you can do that already with shortened URLs.
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
04 Dec 2012 04:23 PM
I took a look and haven't spotted it. As coolbob noted, the blog management system was provided by WordPress, so the likelihood of there being such a vulnerability is unlikely.

Is the XSS persistent? The search system properly encodes input, and category, author, and blog pages don't show the user-given input if the page doesn't exist. The only thing I can think of is possibly a vulnerability in comments.

And even if there is an XSS vulnerability, it's rendered mostly useless by the same origin policy.
Report Abuse
UnusualDivinity is not online. UnusualDivinity
Joined: 15 Jun 2012
Total Posts: 291
04 Dec 2012 05:08 PM
I'll gladly send it in. Do i pm sorcus on roblox or what?
Report Abuse
UnusualDivinity is not online. UnusualDivinity
Joined: 15 Jun 2012
Total Posts: 291
04 Dec 2012 05:09 PM
Its very real. I can go on join.me if youd like?
Report Abuse
iStealer is not online. iStealer
Joined: 25 Aug 2011
Total Posts: 27
04 Dec 2012 05:20 PM
You guys are clueless... You can access cookies through XSS using Javascript. And vulnerabilities on WordPress aren't "uncommon" at all. Nontheless... If it's in a WordPress external plugin, it's even LESS uncommon. So get your facts straight before you post crap.

Good find, OP.
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
04 Dec 2012 06:02 PM
>You guys are clueless... You can access cookies through XSS using Javascript

ROBLOX uses HTTPOnly, which prevents cookies from being accessed by client-side scripts. Even if that feature wasn't activated, the same-origin policy prevents a script running from blog.roblox.com from accessing or modifying cookies from any other subdomain of ROBLOX.com.

You're the one being clueless here.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
04 Dec 2012 06:07 PM
"You can access cookies through XSS using Javascript."

Different subdomain.

"And vulnerabilities on WordPress aren't 'uncommon' at all."

Considering it's the #1 blogging platform atm, even if one is found it should be patched pretty quick.

---
We're all immortal. We're just stuck in full screen. - Corecii
Report Abuse
UnusualDivinity is not online. UnusualDivinity
Joined: 15 Jun 2012
Total Posts: 291
04 Dec 2012 08:19 PM
Sigh. Nothing is 100% secure. Now could somebody please tell me who i need to message?
Report Abuse
Roundel is not online. Roundel
Joined: 20 Mar 2010
Total Posts: 469
04 Dec 2012 08:25 PM
SO EDGY
Report Abuse
Merely is not online. Merely
Joined: 07 Dec 2010
Total Posts: 17266
04 Dec 2012 08:32 PM
ostrichSized is the man to contact.
Report Abuse
pwnedu46 is not online. pwnedu46
Joined: 23 May 2009
Total Posts: 7534
05 Dec 2012 12:49 PM
Or send a message to info@roblox.com
Report Abuse
Awesomesniperman1 is not online. Awesomesniperman1
Joined: 26 Sep 2011
Total Posts: 3780
07 Dec 2012 04:26 PM
Send it to me. :3
Report Abuse
Awesomesniperman1 is not online. Awesomesniperman1
Joined: 26 Sep 2011
Total Posts: 3780
07 Dec 2012 04:30 PM
send pm pls
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
07 Dec 2012 04:47 PM
^reported

---
We're all immortal. We're just stuck in full screen. - Corecii
Report Abuse
Awesomesniperman1 is not online. Awesomesniperman1
Joined: 26 Sep 2011
Total Posts: 3780
07 Dec 2012 04:56 PM
Nothing I said was against the ROBLOX ToS.


"Send it to me. :3"

Nothing offensive there.
Report Abuse
Techboy6601 is not online. Techboy6601
Joined: 29 Jun 2009
Total Posts: 4914
07 Dec 2012 05:07 PM
You're asking for an exploit.

"So that everyone has a good time, you understand and agree that you will not post or send through the site any words, images or links containing or relating to:"

"'cheats' or 'hacks', or information or links to sites claiming to have these"

http://www.roblox.com/info/terms-of-service

---
We're all immortal. We're just stuck in full screen. - Corecii
Report Abuse
Awesomesniperman1 is not online. Awesomesniperman1
Joined: 26 Sep 2011
Total Posts: 3780
08 Dec 2012 06:58 AM
nonononob
Report Abuse
Quenty is not online. Quenty
Joined: 03 Sep 2009
Total Posts: 9316
08 Dec 2012 07:36 AM
If you've found an XSS vulnerability on the blog, go tell WordPress, and make a few million web pages happy - go retrieve a few thousand dollar reward.

WordPress is used by a ton of websites, if you've found a vulnerability, then you can get a lot more then a white hat on ROBLOX.
Report Abuse
Quenty is not online. Quenty
Joined: 03 Sep 2009
Total Posts: 9316
08 Dec 2012 07:37 AM
"If you've found an XSS vulnerability on the blog, go tell WordPress, and make a few million web pages happy - go retrieve a few thousand dollar reward."

I structured this sentence wrong. It should say "go tell WordPress and retrieve a few thousand dollar reward, as well as make a few million web pages happy..."
Report Abuse
Joshnee is not online. Joshnee
Joined: 02 Jul 2012
Total Posts: 182
05 May 2014 02:28 PM
You can acces other users cookies with a Format String Exploit sadly Render's is patched.
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image