Register to post in forums, or Log in to your existing account
 

Play RetroMUD
Post new topic  Reply to topic     Home » Forums » zMUD General Discussion
snoogans
Novice


Joined: 28 Oct 2001
Posts: 43
Location: USA

PostPosted: Tue Oct 01, 2002 9:20 am   

HUGE problem in zmud with html font parsing
 
Okay it has come to my attention that the html parsing of the font can be abused in a huge way. A friend showed it to me earlier. He pasted this line to me in a tell ...

Exploit deleted - already fixed in current beta version. Next public version will also contain the fix.

And what happens is it makes all text after it forever untill you close the window in windigs font, naturally you cant read it :) He also did a font color=black and everything turned black essentially disapearing. I looked through settings and couldnt find a way to turn it off. If someone knows of a way to turn it off please tell me, I dont want to lose all of my stuff because of this and i dont want to stop using zmud either, I hope it will be fixed very soon as it is a huge problem.

P.S. - dont be an ass and abuse this



Edited by - Kjata on 10/02/2002 15:09:58
Reply with quote
Shalla
Newbie


Joined: 01 Oct 2002
Posts: 3

PostPosted: Tue Oct 01, 2002 1:25 pm   
 
Wow. I tried saying that block of funny text out loud on the mud I play, and it screwed up everything like you said.

Shutting MXP off fixed things. Maybe there is a better solution somewhere, shrug.
Reply with quote
LightBulb
MASTER


Joined: 28 Nov 2000
Posts: 4817
Location: USA

PostPosted: Tue Oct 01, 2002 4:52 pm   
 
Try the obvious?
<font type="Times New Roman">

LightBulb
Senior Member
Reply with quote
Kjata
GURU


Joined: 10 Oct 2000
Posts: 4379
Location: USA

PostPosted: Tue Oct 01, 2002 10:13 pm   
 
Try e-mailing Zugg with this so he is informed about it.

Kjata
Reply with quote
Vijilante
SubAdmin


Joined: 18 Nov 2001
Posts: 5182

PostPosted: Tue Oct 01, 2002 10:21 pm   
 
This seems to have been corrected in a beta version along the way, so the next public version will handle this correctly.
Reply with quote
Kjata
GURU


Joined: 10 Oct 2000
Posts: 4379
Location: USA

PostPosted: Tue Oct 01, 2002 10:26 pm   
 
Heh, there you go.... that's what happens when you don't have zMUD available for testing.

Kjata
Reply with quote
cingulli
Wanderer


Joined: 30 Aug 2001
Posts: 53
Location: Finland

PostPosted: Wed Oct 02, 2002 7:06 pm   
 
Whats the version of zMUD you are using Snoogans?
Reply with quote
Charbal
GURU


Joined: 15 Jun 2001
Posts: 654
Location: USA

PostPosted: Wed Oct 02, 2002 7:58 pm   
 
This appears to be caused by unmatched tags. From the MXP specification at Nick Gammon's site:

quote:

Automatic closure of modal elements
To guard against room designers (or people chatting) inadvertently forgetting to close their modal elements the client will automatically close outstanding open tags as follows:

Open mode
All outstanding tags are closed at any of the following:

newline n
escape e
mode change to secure mode
link loss (loss of connection to server)

<snip>

Closure of tags out of sequence
It is possible, indeed likely, that closing tags will be received out of sequence.
eg.


<B>This is bold text. <I>This is bold italic text. </B></I>

The </I> should have been sent first. For simplicity of client implementation, the client should close all outstanding tags, up to and including the one requested. In the example above, the </B> would close both the outstanding <I> and the <B>.



zMUD 6.16 had several known bugs in its MXP implementation but until now, they hadn't really been explored and exploited.

I'm not a fan of security through obscurity but since Zugg is in the middle of working on zExplorer and the zMUD beta isn't entirely ready for a public version, can a forum moderator (or Snoogans) edit out the exploit itself and mail it directly to Zugg? No point in making things easier for those who might use this maliciously.

In the meantime, a workaround that doesn't involve disabling MXP: click the Prefs button, click the + next to MXP, click Elements, click the System tab and uncheck the box for <font>. With that disabled, the exploit merely makes your text bold. You could uncheck <b>, <bold>, <i> and <italic> if you want.



 - Charbal
Reply with quote
Kjata
GURU


Joined: 10 Oct 2000
Posts: 4379
Location: USA

PostPosted: Wed Oct 02, 2002 9:07 pm   
 
This is not a case of security by obscurity. This is just a case of a simple bug, an honest human mistake, and Zugg has not gone to any lengths to hide it. He recognized it as a bug, fixed it and implemented it in the very next version after it had been fixed. Unfortunately, that was a beta version and no public version has come out after it until now. However, Zugg just said a few days ago that a public version for zMUD is really near, so all of those that don't use beta version will get the fix very soon.

Kjata
Reply with quote
Charbal
GURU


Joined: 15 Jun 2001
Posts: 654
Location: USA

PostPosted: Thu Oct 03, 2002 1:32 am   
 
I think you misunderstood my meaning (which, looking back, I stated exceptionally poorly :P)... I did not mean in any way to imply that Zugg was trying to hide it at all. I believe that exploits should be public knowledge but not until it is responsible to disclose them. When the best option is to upgrade to a beta version (honestly, how many zMUD users are actually going to apply my workaround?), it isn't really responsible to expose the customer base.

That's why I suggested that a moderator edit out the exploit. I agree wholeheartedly, Kjata; this is not security through obscurity. But without a non-beta fix at this time, some might see it as that even though leaving it (the exploit) in would be irresponsible. That's all I meant.


 - Charbal
Reply with quote
Kjata
GURU


Joined: 10 Oct 2000
Posts: 4379
Location: USA

PostPosted: Thu Oct 03, 2002 12:56 pm   
 
Oh, I see.
*nod* I agree.

Kjata
Reply with quote
Display posts from previous:   
Post new topic   Reply to topic     Home » Forums » zMUD General Discussion All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

© 2009 Zugg Software. Hosted by Wolfpaw.net