-
-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: master.openra.net does not santize input and allows remote code execution #11826
Comments
Would recommending disabling master.openra.net until patched. Able to deliver malware to win/mac/linux to any client that connects to master.openra.net |
@martinalderson we don't have an established mechanism for reporting security issues yet; please disclose these privately to me via email; chrisf@ijw.co.nz. |
Does the malware persist between client restarts? |
@martinalderson I've not heard from you... |
The client queries the master server from only two places (querying server list and game news), and in both it directly parses the returned result as text. Only the news query saves the data to disk, and this is not executed. I won't speculate further without knowing the details of the report, but I don't see any risk for executing code on the client-side, so removing from the milestone. |
Closing here as these exploits should not be publicized until fixed. https://github.com/OpenRA/OpenRAMasterServer also has it's own tracker. |
Please let me know the best way to disclose this issue.
The text was updated successfully, but these errors were encountered: