It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Cities: Skylines wishlist entry pops up "1" and can cause the browser to crash.

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>
Post edited June 06, 2015 by tfishell
Yay.
avatar
tfishell: http://www.gog.com/wishlist/games/cities_skylines

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>
Hmm. Dangerous stuff. Input not properly checked/encoded.
Maybe you should have posted a screenshot instead...
avatar
tfishell: http://www.gog.com/wishlist/games/cities_skylines

"a","alert(1)"] 23 hrs. ago manifest_pw
"></img src=x onerror=alert(1)/>
You've been nasty :D
Well, the wishlist is in beta. :-P
I just someone has alerted The Blue Ones?
Wow, this is a really nasty bug. If someone wanted to be evil (which you always have to assume), it would easily be possible to steal people's session information and possibly login information, without anyone noticing.
I clicked your link to see and it crashed my Chrome and I lost all my tabs. Thanks for that.
avatar
jpilot: Wow, this is a really nasty bug. If someone wanted to be evil (which you always have to assume), it would easily be possible to steal people's session information and possibly login information, without anyone noticing.
Can anyone confirm this? I am not so sure this is true.
avatar
Austrobogulator: Maybe you should have posted a screenshot instead...
Agreed. Although a big "DON'T VISIT THE WISHLIST FOR THE LOVE OF GOD DON'T DO IT SOMETHING'S SERIOUSLY WRONG THERE!!!" probably would have been even better. Oh well, at least if my account gets hijacked now I know why. Because of tfishell. :P
avatar
jpilot: Wow, this is a really nasty bug. If someone wanted to be evil (which you always have to assume), it would easily be possible to steal people's session information and possibly login information, without anyone noticing.
avatar
misteryo: Can anyone confirm this? I am not so sure this is true.
Just to explain a little bit: The thing is, once you are able to insert arbitrary JavaScript code into a website (which obviously is the case here), you can execute that code with the permissions the user's webbrowser grants the scripts on that page (the browser simply cannot distinguish that malicious code from normal code used by the website), which means, the script has access to all data available to to it immediately through the global JavaScript context, as well as through any AJAX script or any website URL on that same host. So the script could possibly (and this is very likely as there does not seem to be a validation of that change through a confirmation email) even change your own password without you knowing it.
avatar
Austrobogulator: Maybe you should have posted a screenshot instead...
avatar
F4LL0UT: Agreed. Although a big "DON'T VISIT THE WISHLIST FOR THE LOVE OF GOD DON'T DO IT SOMETHING'S SERIOUSLY WRONG THERE!!!"
Adding more atmosphere:
https://youtu.be/31Zo-NK1p-g?t=136
avatar
jpilot: Just to explain a little bit: The thing is, once you are able to insert arbitrary JavaScript code into a website (which obviously is the case here), you can execute that code with the permissions the user's webbrowser grants the scripts on that page (the browser simply cannot distinguish that malicious code from normal code used by the website), which means, the script has access to all data available to to it immediately through the global JavaScript context, as well as through any AJAX script or any website URL on that same host. So the script could possibly (and this is very likely as there does not seem to be a validation of that change through a confirmation email) even change your own password without you knowing it.
Сan you be safe if you use Galaxy only?
Post edited June 05, 2015 by Rozenman
Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
avatar
Avogadro6: Guys, guys, it's all fine. I'm sure if there was a problem Gog would have informed us!
Or maybe on the contrary, huh. Moreover they could not know about it.