Valve has reportedly mounted an HTML injection flaw in Counter-Strike 2 that was closely abused in the present day to inject photographs into video games and procure different gamers’ IP addresses.
Whereas initially regarded as a extra extreme Cross Website Scripting (XSS) flaw, which permits JavaScript code to be executed in a consumer, the bug was decided solely to be an HTML injection flaw, permitting the injection of photographs.
Counter-Strike 2 makes use of Valve’s Panorama UI, a person interface that closely incorporates CSS, HTML, and JavaScript for design format.
As a part of the design format, builders can configure enter fields to just accept HTML reasonably than sanitize it to an everyday string. If the sector enabled HTML, any inputted textual content can be rendered on output as HTML.
At the moment, Counter-Strike customers started reporting that customers had been abusing an HTML injection flaw to inject photographs into the kick voting panel.
Whereas the flaw was abused largely for innocent enjoyable, others used it to acquire the IP addresses of different players within the match.
This was carried out by utilizing the <img> tag to open a distant IP logger script that brought on the IP tackle for each participant who noticed the vote kick to be logged.
These IP addresses could possibly be used maliciously, reminiscent of launching DDoS assaults to pressure gamers to disconnect from the match.
This afternoon, Valve launched a small 7MB replace that reportedly fixes the vulnerability and causes any inputted HTML to be sanitized to an everyday string.
For instance, as soon as the patch is put in, as an alternative of injected HTML being rendered by the person interface, it will simply be displayed as a string, as demonstrated beneath.
BleepingComputer contacted Valve to verify if this replace mounted the exploit however has not obtained a response.
In 2019, an analogous, however extra severe, bug was discovered in Counter-Strike: International Offensive’s Panorama UI that allowed HTML to be injected through the kick function.
Nevertheless, in that individual case, it may be used to launch JavaScript, inflicting it to be a much more vital XSS vulnerability that could possibly be used to execute instructions remotely.
