Adds lots of commands to bonk.io. Type /? or /help in bonk chat to get started.
< Părere la script-ul Bonk Commands
Actually this CVE is pretty funni. I can also add images which will break bonk players' minds.
Example here: https://imgur.com/a/AO6y5sv
so plz keep CVE for the lulz :(
btw the giant menu in the middle is what i use to take screenshots so that isnt part of the CVE. u should look to the left of it where you can see the image of the programming languages.
Another funni example: https://imgur.com/a/HBsR7Iv
After some more testing, it does not see to be an issue with your mod but with bonk itself, so this CVE is now a bonk cve.
It seems that chaz forgot to sanatize names in lobby. this was most likely due to guest and players not being to have names with special characters. however, this falls apart when you add bots with special charaters in name. It also looks like when the bot joins the lobby and the players are in game, the in game chat sanitizes properly.
so to repeat
THIS IS NOT A BUG IN YOUR CODE
THIS IS A BUG IN BONK.IO, this a bug that your code accidentally produce do to lack of foresight from chaz.
so lol there is nothing you can do about
so dont try to fix it because you cant
the reason y i say that you cant fix it is because the *[name] has joined the game prompt is created by bonk and not bonk commands, so it is not your code creating the xss CVE.
> THIS IS A BUG IN BONK.IO, this a bug that your code accidentally produce do to lack of foresight from chaz.
I meant to say:
THIS IS A BUG IN BONK.IO, this is a bug that bonk accidentally produces do to lack of foresight from chaz.
the reason y i say that you cant fix it is because the *[name] has joined the game prompt is created by bonk and not bonk commands, so it is not your code creating the xss CVE.
since its not a bug that you created, have fun with it, the next time your in a sandbox lobby and are host, add some images to the chat. spice some things up
i shall fix :)
lol
does this still work and how do i do it- lol
iwanttobeme, this does not work on the latest version of Bonk Commands as of 9/30/2023. For how to do it, idk I tried but I suck at XSS.
CVE-2023-0002
Severity: Bad (i.e RCE)
Description: An issue was discovered where if the room is a sandbox, the host can add bots with names of html data (i.e. <h1> or <script>) leading xss vulnerability. Furthermore, this will allow the host to perform RCE on other clients in the lobby due to them also getting the malicious packet through the websocket. The host can exploit this vulnerability to get bonkid tokens from other clients which will allow the host to login as them.
Example of attack: https://imgur.com/a/BfFwBMQ