New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A state poisoning vulnerability in pomelo #1149
Comments
|
It seems to be a serious problem. |
|
This problem does exist and can be simplified to understand and test as this: |
|
The temporary solution is to check There is no need to worry about using pinus, pinus does not have this problem. thanks for @xiaofen9 |
|
放弃吧,网易的搞的这个,有头没尾的。 |
(cherry picked from commit 5b999c5)
(cherry picked from commit 5b999c5)
|
Is this constructor the single one "exploitable" known? Are there other methods that can be overwritten like this? |
(cherry picked from commit 5b999c5)
(cherry picked from commit 5b999c5)
(cherry picked from commit 5b999c5)
(cherry picked from commit 5b999c5)


We found that pomelo allows external control of critical state data. A malicious user-input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can launch attacks by adding additional attributes to user-input.
A detailed discussion of the vulnerability can be found here.
https://github.com/cl0udz/vulnerabilities/tree/master/pomelo-critical-state-manipulation
The text was updated successfully, but these errors were encountered: