A vulnerability in pomelo #1149
We found that pomelo allows external control of critical state data. A malicious user-input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious attacker can launch attacks by adding additional attributes to user-input. A detailed discussion of the vulnerability can be found here. |
whtiehack commented 1 hour ago
It seems to be a serious problem. |
whtiehack commented 1 hour ago
This problem does exist and can be simplified to understand and test as this: |
whtiehack commented 35 minutes ago
The temporary solution is to check
There is no need to worry about using pinus, pinus does not have this problem. thanks for @xiaofen9 |
whtiehack added a commit to node-pinus/pinus that referenced this issue 28 minutes ago
Prevent calls constructor. because NetEase/pomelo#1149
whtiehack added a commit to whtiehack/pomelo that referenced this issue 15 minutes ago
Verified
whtiehack referenced this issue 15 minutes ago