We Are In Attack Because Attackers Can Send Websocket Request From Any Host Please Add Same-Origin policy To Websocket Port.
We Received A Huge Off Out Of sequence Packets From Attackers And 2 Times Server Crashed .
I Use Maven 64 4.32
Logs
Out of sequence packet (3) received from , IP 2.182.173.1
Out of sequence packet (3) received from , IP 46.224.149.86
Connection denied to 5.124.131.84 due to client/server version mismatch (4.31/4.31 B1)
WSServerExecute error: Access violation at address 0000000000408D26 in module PMServer.exe. Read of address 0000000000000000
Connection denied to 5.22.41.10 due to client/server version mismatch (4.31/4.31 B1)
pookeer wrote:Please Add Same-Origin policy To Websocket Port.
Same origin as what? That won't stop a hacking attempt. Anyone can send packet requests to your server. But they won't be executed if the session ID doesn't match the connection thread. And the sequence check is an added protection.
the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.
Also maven have csrf vlun.
and attacker with social engineering can give a link to any client and send any request from client to server because you dont check Orign.
pookeer wrote:If you check Orgin header and just allow requests from maven server ip address attackers can't send request from own pages to Websocket.
What's to stop the hacker from setting that header to anything they want?
the another bug is in eventlog when attacker send a huge string as server version in websocket request and you show version(huge string) in event log as version error and memory of maven become 7gb or more than it and maven crashes.
Attacker can change header of own request but cant change header of a client in a web page with a websocket connection.
For example an attacker make a page with a websocket connection to maven packet port and put it in a site with 1000 Visitor all of this vistors have a session in maven server without authority.
but if you check orign any of this sessions not create
Concerning the eventlog issue, is there some kind of global cutting mechanism in the code that truncate any string with an irrelevant length (> maximum expected length) ?
Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?" line in event log and close immediately the session that sent this string (depending on the component you use to receive data packets, this will also save a lot of memory/cpu) .
johndoo wrote:Perhaps this could also apply to data received in the websocket: if a buggy very long string is sent to the server, the server should put a "hack attempt ?"
Yes, this is being tested now and will be in the next update.