Howdy, Stranger!
Categories
- 3.7K All Categories
- 3K The Midnight Age
- 757 Announce posts
- 122 Newbies
- 6 Class Guides
- 803 Harpy's Head Tavern
- 57 Echo Canyon
- 309 Self-Affirmations
- 163 Town Crier
- 135 The Exchange
- 167 Sparring Grounds
- Combat Guides
- 30 Combat Logs
- 188 Idea Box
- 9 Classleads
- 578 Roleplay Logs
- 107 Aetolia Development
- 5 The Void
- 742 Miscellaneous
- 9 Announcements
- 417 OOC Chat
- 215 Tech Talk
- 45 Scripts
Announce post #3038: Recent Lag
Autoposter
BotBot
12/2/2019 at 15:25
Tiur, the Gnosis
Everyone
Recent Lag
Last night, while investigating lag occurring across all IRE games, we discovered an unmitigated SQL injection vulnerability in the gamefeed processing on the games' websites, which was being actively used by an attacker. In an abundance of caution, we disabled the gamefeed functionality across all games and sinkholed the vulnerable API endpoint. We have now fixed the faulting code and reenabled the gamefeed.
We are still investigating the full impact of the vulnerability, but at this time it does not appear any customer data was accessed. It appears to have been a blind attack that didn't get beyond an attempt to identify access limitations, so no critical information was accessed whatsoever.
Special thanks to Razmael of Aetolia for identifying the initial impact, and Phaestus of Achaea and Eoghan of Imperian for identifying the SQLi and creating a mitigation.
Penned by my hand on Closday, the 14th of Lanosian, in the year 484 MA.
Tiur, the Gnosis
Everyone
Recent Lag
Last night, while investigating lag occurring across all IRE games, we discovered an unmitigated SQL injection vulnerability in the gamefeed processing on the games' websites, which was being actively used by an attacker. In an abundance of caution, we disabled the gamefeed functionality across all games and sinkholed the vulnerable API endpoint. We have now fixed the faulting code and reenabled the gamefeed.
We are still investigating the full impact of the vulnerability, but at this time it does not appear any customer data was accessed. It appears to have been a blind attack that didn't get beyond an attempt to identify access limitations, so no critical information was accessed whatsoever.
Special thanks to Razmael of Aetolia for identifying the initial impact, and Phaestus of Achaea and Eoghan of Imperian for identifying the SQLi and creating a mitigation.
Penned by my hand on Closday, the 14th of Lanosian, in the year 484 MA.
5