I am making this thread by being forced to from some nifty javascript code. if this works, you should check referers when getting POST requests

<snip>

please copy and paste this link in your url bar.

On a side note, something seems to be wrong with your link parsing system as well. I could not get it to show up properly when I tried to.

by kyo 10 months ago
| Permalink

I am not making this post, instead I was forced to by the post forcer ( http://wocares.com/pf3.php ) - this post is a demonstration of how serious this issue is.

by kyo 10 months ago
| Permalink

I don't know what's going on, but apparently this is serious.

by joe 10 months ago
| Permalink

No, mikey -- this is SERIOUS.

by tulsatrey 10 months ago
| Permalink

see medlars post.

Let me just add that this is not all you can do with it (asides from the fact that identity theft itself can be a serious issue)

You could force people to buy stuff they don't want to buy, you could make them deploy crates and other stuff.

You should check if the referer is right, but because some firewalls block referers you should also accept a request if there is no request at all.

by kyo 10 months ago
| Permalink

not really serious at all, they just need some sort of session state and this type of attack will just go away..

by mikey 10 months ago
| Permalink

Hi kyo.

Can I start by pointing out that if you feel there is a security issue you should contact us directly first, rather than making a post in the forum.

It is the accepted practice for anyone who discovers a security hole to contact the website directly, in private, rather than drawing attention to the problem for your own ends.

With regards to this issue, I don't see the problem. You've used a form on another website to create a forum post. There is no identity theft taking place, no has 'forced' you to make the post, and anyone who has done the same thing has *actively* chosen to do that, they have not been forced or coerced into doing anything. Further, the result of this action has not lead to any harm, exploit or release of data.

However, if you feel that this issue could lead to other problems, please contact me directly - duncan at gamelayers dot com.

by suttree 10 months ago
| Permalink

Thanks for the example, kyo. I've removed it, however, as I specifically stated in my previous post that if you have any concerns you should contact me directly and *not* post them in a public forum.

I appreciate that you have valid security concerns but posting them in a public forum only increases the likelihood that you will suffer as a consequence of them.

I will repeat what I said earlier - if you have any concerns please contact me directly - duncan at gamelayers dot com -and I will deal with them. Making your concerns public, even when specifically asked not to, makes you look unprofessional.

by suttree 10 months ago
| Permalink

It's only out in the public since you posted the details in here, kyo. And anyone who doesn't know what CSRF is could easily have follow your instructions - that's the problem with posting them in a public forum and not contacting the developers directly.

Had we not responded to your concerns, I'd say making them public was a valid course of action, but you seem to have decided that drawing attention to yourself was more important.

I do appreciate the seriousness of CSRF and we'll work to close any and all loopholes in PMOG as we become aware of them.

by suttree 10 months ago
| Permalink