Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
EidoGo is susceptible to Cross-Site Scripting (XSS) attacks via maliciously crafted SGF input.
There are actually two separate XSS vulnerabilities:
A patch attempting to mitigate these security vulnerabilities was submitted in this pull request:
Note that the pull request does not include an updated minified file. However, a minified file incorporating this patch has been prepared by the OGS developers and is available here:
The identifier "CVE-2015-3172" has been assigned to refer to this issue.
Are you sure that "reflected" is the correct terminology? It seems that "reflected" applies specifically to "non-persistent" attacks that originate from malicious payload that is somehow placed in the victim's request. I believe this security vulnerability should be categorized as "persistent" or "stored", since an attacker can upload a malicious SGF file to eidogo.com which will then threaten any victim that later visits the particular page for that file. On various forums using eidogo as an embedded SGF viewer, an attacker can upload a malicious SGF file that will then threaten any victim that later visits that particular forum post.
Unfortunately, this project appears to be abandoned.
The last I heard from the developer was via an email on May 5, 2015, which simply stated
in response to my offer to help resolve the bug. The only other communication I have had from the developer was an earlier email on April 13, 2015 in response to my initial disclosure:
The code is quite stale and neglected. Note that: