Vulnerabilities: Difference between revisions

From Our World of Text Wiki
Jump to navigation Jump to search
(Created page with "This page documents all vulnerabilities that have been present in Our World of Text. Design flaws will not be included. By definition, a vulnerability is a bug that a person can take advantage of to manipulate the server or a user's data in unauthorized ways. == April 12, 2018 == '''Type:''' Unauthorized data manipulation '''Description:''' With a few specially crafted edits, the content of a tile can get corrupted, affecting precisely-protected cells as well. '''Comm...")
 
No edit summary
Line 8: Line 8:
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/edd89084e5cdb80d49af1239bf796506dadc3aea</nowiki>
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/edd89084e5cdb80d49af1239bf796506dadc3aea</nowiki>


'''Actively exploited:''' Yes
'''Actively exploited at it's time:''' Yes


'''Patched:''' Yes
'''Patched:''' Yes
Line 19: Line 19:
'''Description:''' Sending a cursor message on a world with guest cursors disabled and then disconnecting the client would crash the server. Can be used to take down server for any amount of time.
'''Description:''' Sending a cursor message on a world with guest cursors disabled and then disconnecting the client would crash the server. Can be used to take down server for any amount of time.


'''Actively exploited:''' No
'''Actively exploited at it's time:''' No


'''Patched:''' Yes
'''Patched:''' Yes
Line 30: Line 30:
'''Description:''' Upon removing a member from your world, all of the member's connected clients will be temporarily demoted regardless of their world until they refresh. Caused by not checking the world the client is located in before unmarking user as member in memory.
'''Description:''' Upon removing a member from your world, all of the member's connected clients will be temporarily demoted regardless of their world until they refresh. Caused by not checking the world the client is located in before unmarking user as member in memory.


'''Actively exploited:''' No
'''Actively exploited at it's time:''' No


'''Patched:''' Yes
'''Patched:''' Yes
Line 43: Line 43:
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/d021af26bb8363fcf9ec73539cd05208b6f5ed3d</nowiki>
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/d021af26bb8363fcf9ec73539cd05208b6f5ed3d</nowiki>


'''Actively exploited:''' No
'''Actively exploited at it's time:''' No


'''Patched:''' Yes
'''Patched:''' Yes
Line 56: Line 56:
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/292df686812af8cb3d99bada2c3ded3f4b3d8850</nowiki>
'''Commit(s):''' <nowiki>https://github.com/system2k/NodeWorldOfText/commit/292df686812af8cb3d99bada2c3ded3f4b3d8850</nowiki>


'''Actively exploited:''' No
'''Actively exploited at it's time:''' No


'''Patched:''' Yes
'''Patched:''' Yes


'''Discoverer(s):''' FP
'''Discoverer(s):''' FP

Revision as of 15:01, 20 September 2023

This page documents all vulnerabilities that have been present in Our World of Text. Design flaws will not be included. By definition, a vulnerability is a bug that a person can take advantage of to manipulate the server or a user's data in unauthorized ways.

April 12, 2018

Type: Unauthorized data manipulation

Description: With a few specially crafted edits, the content of a tile can get corrupted, affecting precisely-protected cells as well.

Commit(s): https://github.com/system2k/NodeWorldOfText/commit/edd89084e5cdb80d49af1239bf796506dadc3aea

Actively exploited at it's time: Yes

Patched: Yes

Discoverer(s): Unknown, FP

September 23, 2021

Type: Crash exploit

Description: Sending a cursor message on a world with guest cursors disabled and then disconnecting the client would crash the server. Can be used to take down server for any amount of time.

Actively exploited at it's time: No

Patched: Yes

Discoverer(s): FP

November 20, 2021

Type: Unauthorized in-memory representation manipulation

Description: Upon removing a member from your world, all of the member's connected clients will be temporarily demoted regardless of their world until they refresh. Caused by not checking the world the client is located in before unmarking user as member in memory.

Actively exploited at it's time: No

Patched: Yes

Discoverer(s): FP

June 11, 2022

Type: Crash exploit

Description: A write to a tile containing an empty "link" object within the cell_props can crash the server. Can be used to take down server for any amount of time.

Commit(s): https://github.com/system2k/NodeWorldOfText/commit/d021af26bb8363fcf9ec73539cd05208b6f5ed3d

Actively exploited at it's time: No

Patched: Yes

Discoverer(s): FP

February 27, 2023

Type: Data infiltration

Description: A user can insert arrays of unlimited lengths into the color array of a tile. Can be used to corrupt tile color data, take server down

Commit(s): https://github.com/system2k/NodeWorldOfText/commit/292df686812af8cb3d99bada2c3ded3f4b3d8850

Actively exploited at it's time: No

Patched: Yes

Discoverer(s): FP