Greasy Fork

CVE-2023-0002

Severity: Bad (i.e RCE)

Description: An issue was discovered where if the room is a sandbox, the host can add bots with names of html data (i.e. <h1> or <script>) leading xss vulnerability. Furthermore, this will allow the host to perform RCE on other clients in the lobby due to them also getting the malicious packet through the websocket. The host can exploit this vulnerability to get bonkid tokens from other clients which will allow the host to login as them.

Example of attack: https://imgur.com/a/BfFwBMQ

Actually this CVE is pretty funni. I can also add images which will break bonk players' minds.

Example here: https://imgur.com/a/AO6y5sv

so plz keep CVE for the lulz :(

btw the giant menu in the middle is what i use to take screenshots so that isnt part of the CVE. u should look to the left of it where you can see the image of the programming languages.

Another funni example: https://imgur.com/a/HBsR7Iv

After some more testing, it does not see to be an issue with your mod but with bonk itself, so this CVE is now a bonk cve.

It seems that chaz forgot to sanatize names in lobby. this was most likely due to guest and players not being to have names with special characters. however, this falls apart when you add bots with special charaters in name. It also looks like when the bot joins the lobby and the players are in game, the in game chat sanitizes properly.

so to repeat

THIS IS NOT A BUG IN YOUR CODE
THIS IS A BUG IN BONK.IO, this a bug that your code accidentally produce do to lack of foresight from chaz.
so lol there is nothing you can do about
so dont try to fix it because you cant

the reason y i say that you cant fix it is because the *[name] has joined the game prompt is created by bonk and not bonk commands, so it is not your code creating the xss CVE.

> THIS IS A BUG IN BONK.IO, this a bug that your code accidentally produce do to lack of foresight from chaz.
I meant to say:

THIS IS A BUG IN BONK.IO, this is a bug that bonk accidentally produces do to lack of foresight from chaz.

the reason y i say that you cant fix it is because the *[name] has joined the game prompt is created by bonk and not bonk commands, so it is not your code creating the xss CVE.

since its not a bug that you created, have fun with it, the next time your in a sandbox lobby and are host, add some images to the chat. spice some things up

i shall fix :)

lol

does this still work and how do i do it- lol

iwanttobeme, this does not work on the latest version of Bonk Commands as of 9/30/2023. For how to do it, idk I tried but I suck at XSS.