Today I ran a security check again after all the work we have done to the game core. I was very happy to see that most of the security issues were gone, but one high level threat was found!
The bug is called: “Cross Site Scripting in URI”. The problem was hidden deep in the code - one global variable was used without checking it for potential threats and wihout cleaning it.
The variable, I talk about, is $_SERVER[’PHP_SELF’]. The most simple example of using this vulnerability was this:
If you type:
http://www.madforspeed.com/index.php/>’><script><alert (”bug”)</script> ,
the main page whould open and a JavaScript alert would show a message: “bug”.
Strange that I haven’t found this bug last time I was checking the game. But it is now fixed! Few more bigger updates to the game core and I’ll do the check again.
See you then