It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionPSA: Serious security issue.(99 posts)(99 posts)
(99 posts)
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Posted August 25, 2017
avatar
ZFR:
Tiss gold
Post edited August 25, 2017 by mechmouse
Posted August 25, 2017
Gold gold gold gold

Click here
Click here
Click here

EDIT: Woohoo. Fixed.
Post edited August 25, 2017 by ZFR
Posted August 25, 2017
I am really surprised and disturbed that the staff didn't feel the need to publicly comment on the issue. Not even some PR stuff.
This is really alarming. Don't they care about their customers, if not about their users?
I wonder how are they hoping to conduct an international gaming tournament when they can not run GOG in a bug free manner.
I guess it would be less time on the forum for me untill this issue is fixed.
And seriously guys, this is not some "forum ate my post" issue, this thing is a serious security concern and should be fixed on highest priority.
Posted August 25, 2017
OK. I'm done.

I was pretty sure they fixed code injection before, because I remember someone discovering that while it was not possible to do it in the post body, you could still do it in the thread title, and they fixed that too.

Must have been changed during one of GOG's forum "updates".
Posted August 25, 2017
high rated
avatar
bhrigu: should be fixed on highest priority.
This is precisely what we busy with right now, so we don't have much time to comment on forums;)
Posted August 25, 2017
high rated
avatar
bhrigu: I am really surprised and disturbed that the staff didn't feel the need to publicly comment on the issue. Not even some PR stuff.
probably would have helped if OP contacted GOG support first, instead of posting a tutorial on how to abuse this and hoping a Blue will accidentally see his post.
They fixed similar issues in the past, they fixed the "91" issue pretty much within a day, so the argument that "GOG never does anything anyway" is just nonsense.

of course this way of doing it ensures a much bigger drama. And in the end we are all here for the entertainment, aren't we ...
Posted August 25, 2017
high rated
avatar
It's interesting how you found it minutes after I did and decided to edit out the proof of concept from my post and go report it responsibly. (Which I did, and which was taken seriously.) Then again, the issue is trivial to such a degree that I'd give you even odds all the same of having found it independent of having seen my post.

But either way, not cool exposing this publicly like this without giving GOG time to fix.
Post edited August 25, 2017 by gogtrial34987
Posted August 25, 2017
high rated
avatar
I did my best to find a related ticket written by you on this subject, but found none.
I also tried to look for tickets made by other accounts, using some relevant keywords, but the only result I got was a report about this thread itself.

Please let me know how you attempted to report this issue to us, so that we can see if, and where, it might have fallen through some crack.
Post edited August 25, 2017 by Firek
Posted August 25, 2017
Ho ho! This is a nice drama. Much better than The Bold and the Beautiful.
Posted August 25, 2017
avatar
litek:
Thank you for your reply.
Can you kindly notify us after this issue has been fixed.
Also is there any way you can find out who have been adversely affected by this issue.
Posted August 25, 2017
low rated
avatar
avatar
Firek: but the only result I got was a report about this thread itself.
Please let them know that I DID NOT file any of those reports!

thank you Firek :D
avatar
Themken: Ho ho! This is a nice drama. Much better than The Bold and the Beautiful.
SCREW YOU!

NOTHING is better that The Bold and the Beautiful!
Post edited August 25, 2017 by tinyE
Posted August 25, 2017
Great.. even security issues.
I don't dare imagine how much safe is Galaxy too..

avatar
Wait, could you alter the downvote button too?
You should add a "f**k you!" message to it XD
Post edited August 25, 2017 by phaolo
Posted August 25, 2017
avatar
bhrigu: should be fixed on highest priority.
avatar
litek: This is precisely what we busy with right now, so we don't have much time to comment on forums;)
While you are fixing things, please also check that your fix ensures that the code can't run through a nested reply.

Like, I reply to someone that does something nasty, but then ZFR replies to my reply and gets hit because my reply had the same nasty code (because it contains the initial dude's code).
Posted August 25, 2017
avatar
Firek: it might have fallen through some crack.
I know this is a jab at an user who pointed out a pretty massive mistake in your forum's coding in a grandstadning way, but honestly it wouldn't really surprise me at all if your support tickets are broken too.
Post edited August 25, 2017 by WBGhiro
Posted August 25, 2017
avatar
Firek: but the only result I got was a report about this thread itself.
avatar
tinyE: Please let them know that I DID NOT file any of those reports!

thank you Firek :D
Confirmed.

avatar
Themken: Ho ho! This is a nice drama. Much better than The Bold and the Beautiful.
avatar
tinyE: SCREW YOU!

NOTHING is better that The Bold and the Beautiful!
Confirmed again. :)
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Community
General discussionPSA: Serious security issue.(99 posts)(99 posts)
(99 posts)