|
| 04 Dec 2012 03:24 PM |
| I'm debating on if i should keep this to my self. Or send it in to the admins. I was messing around with the roblox blog. And sure enough i found a page that's vulnerable to cross site scripting. |
|
|
| Report Abuse |
|
|
| |
|
Droban
|
  |
| Joined: 12 Aug 2012 |
| Total Posts: 157 |
|
|
| 04 Dec 2012 03:32 PM |
"Or send it in to the admins." I think this forum is visited by admins, A LOT. They have enough people working for them for a few of them to test XSS vulnerabilities, I'm sure. |
|
|
| Report Abuse |
|
|
Droban
|
  |
| Joined: 12 Aug 2012 |
| Total Posts: 157 |
|
|
| 04 Dec 2012 03:33 PM |
[Continuation of last post:] So, either you give it out and maybe get a reward, or don't give it out and it get patched anyway. If it's not patched now, it will be eventually. Especially after people start using it. |
|
|
| Report Abuse |
|
|
coolbob44
|
  |
| Joined: 26 Nov 2009 |
| Total Posts: 1649 |
|
|
| 04 Dec 2012 04:14 PM |
As far as I know, the portion of the ROBLOX website that the blog is on is run by Wordpress, and the likelihood of there being an XSS vulnerability is minimal.
If you are serious, and not looking for attention, then why didn't you email or send a message to one of the mods? |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 04 Dec 2012 04:20 PM |
Even if there is an XSS vulnerability on the blog, the vulnerability would be practically useless, because it's impossible to access user cookies.
So sure, an exploiter could redirect users to his malicious site. Well, you can do that already with shortened URLs. |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 04 Dec 2012 04:23 PM |
I took a look and haven't spotted it. As coolbob noted, the blog management system was provided by WordPress, so the likelihood of there being such a vulnerability is unlikely.
Is the XSS persistent? The search system properly encodes input, and category, author, and blog pages don't show the user-given input if the page doesn't exist. The only thing I can think of is possibly a vulnerability in comments.
And even if there is an XSS vulnerability, it's rendered mostly useless by the same origin policy. |
|
|
| Report Abuse |
|
|
|
| 04 Dec 2012 05:08 PM |
| I'll gladly send it in. Do i pm sorcus on roblox or what? |
|
|
| Report Abuse |
|
|
|
| 04 Dec 2012 05:09 PM |
| Its very real. I can go on join.me if youd like? |
|
|
| Report Abuse |
|
|
iStealer
|
  |
| Joined: 25 Aug 2011 |
| Total Posts: 27 |
|
|
| 04 Dec 2012 05:20 PM |
You guys are clueless... You can access cookies through XSS using Javascript. And vulnerabilities on WordPress aren't "uncommon" at all. Nontheless... If it's in a WordPress external plugin, it's even LESS uncommon. So get your facts straight before you post crap.
Good find, OP. |
|
|
| Report Abuse |
|
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 04 Dec 2012 06:02 PM |
>You guys are clueless... You can access cookies through XSS using Javascript
ROBLOX uses HTTPOnly, which prevents cookies from being accessed by client-side scripts. Even if that feature wasn't activated, the same-origin policy prevents a script running from blog.roblox.com from accessing or modifying cookies from any other subdomain of ROBLOX.com.
You're the one being clueless here. |
|
|
| Report Abuse |
|
|
|
| 04 Dec 2012 06:07 PM |
"You can access cookies through XSS using Javascript."
Different subdomain.
"And vulnerabilities on WordPress aren't 'uncommon' at all."
Considering it's the #1 blogging platform atm, even if one is found it should be patched pretty quick.
--- We're all immortal. We're just stuck in full screen. - Corecii |
|
|
| Report Abuse |
|
|
|
| 04 Dec 2012 08:19 PM |
| Sigh. Nothing is 100% secure. Now could somebody please tell me who i need to message? |
|
|
| Report Abuse |
|
|
Roundel
|
  |
| Joined: 20 Mar 2010 |
| Total Posts: 469 |
|
| |
|
Merely
|
  |
| Joined: 07 Dec 2010 |
| Total Posts: 17266 |
|
|
| 04 Dec 2012 08:32 PM |
| ostrichSized is the man to contact. |
|
|
| Report Abuse |
|
|
pwnedu46
|
  |
| Joined: 23 May 2009 |
| Total Posts: 7534 |
|
|
| 05 Dec 2012 12:49 PM |
| Or send a message to info@roblox.com |
|
|
| Report Abuse |
|
|
| |
|
| |
|
|
| 07 Dec 2012 04:47 PM |
^reported
--- We're all immortal. We're just stuck in full screen. - Corecii |
|
|
| Report Abuse |
|
|
|
| 07 Dec 2012 04:56 PM |
Nothing I said was against the ROBLOX ToS.
"Send it to me. :3"
Nothing offensive there. |
|
|
| Report Abuse |
|
|
|
| 07 Dec 2012 05:07 PM |
You're asking for an exploit.
"So that everyone has a good time, you understand and agree that you will not post or send through the site any words, images or links containing or relating to:"
"'cheats' or 'hacks', or information or links to sites claiming to have these"
http://www.roblox.com/info/terms-of-service
--- We're all immortal. We're just stuck in full screen. - Corecii |
|
|
| Report Abuse |
|
|
| |
|
Quenty
|
  |
| Joined: 03 Sep 2009 |
| Total Posts: 9316 |
|
|
| 08 Dec 2012 07:36 AM |
If you've found an XSS vulnerability on the blog, go tell WordPress, and make a few million web pages happy - go retrieve a few thousand dollar reward.
WordPress is used by a ton of websites, if you've found a vulnerability, then you can get a lot more then a white hat on ROBLOX. |
|
|
| Report Abuse |
|
|
Quenty
|
  |
| Joined: 03 Sep 2009 |
| Total Posts: 9316 |
|
|
| 08 Dec 2012 07:37 AM |
"If you've found an XSS vulnerability on the blog, go tell WordPress, and make a few million web pages happy - go retrieve a few thousand dollar reward."
I structured this sentence wrong. It should say "go tell WordPress and retrieve a few thousand dollar reward, as well as make a few million web pages happy..." |
|
|
| Report Abuse |
|
|
Joshnee
|
  |
| Joined: 02 Jul 2012 |
| Total Posts: 182 |
|
|
| 05 May 2014 02:28 PM |
| You can acces other users cookies with a Format String Exploit sadly Render's is patched. |
|
|
| Report Abuse |
|
|