Dizeez Bug - Arbitary Player-Score Forgery

[Vijeenrosh PW Vijeen]

Hi,
            While drafting application , I was wonder-stuck with this , Its possible to forge arbitary score-player info by sending asynchronus ajax request to

leaderboard.cgi .  To demonstrate , I have forged a player " Gene Guru "  with a Score of 10000. Chrome developer Tool (JS console)  was used to carry out the attack.

Follwing was the snippet that was executed :
      
            hreq = new XMLHttpRequest();
            url = "leaderboard.cgi?player=GeneGure&points=10000";
            hreq.open("GET",url);
            hreq.send();

Malicious ones can run scripts that can corrupt the score list .
A solution to prevent such attempts will be to add a authentication to dizeez. leaderboard.cgi should check for a valid cookie before accepting the payload.I have been working on implementing authentication to Dizeez , https://bitbucket.org/vijeenroshpw/dizeez/commits/4acf1e0939149b10ababbb7b4a7d6293290e01dd,.

[Max Nanis]

Great to see you spotted that -- one of the many reasons we decided to turn this into a GSoC to improve it!

Looks like a great start! If you're interested in security / request authentication I would definitely check out devise if you're a Ruby person or the user authentication integrated into Django. They're great examples of how to implement important security measures like this on a very large, extremely well tested and implementation abstracted way

Cheers,

M