There is a cross-site scripting vulnerability when loading messages sent from the RCON panel. An attacker can deploy a Rust server, add the poisoned XSS message to the Rust chat, then trick a victim into automatically logging in and loading in the poisoned message which has the capability to retrieve the stored server credentials in the "localStorage" object.
Which would exfiltrate the password by sending an HTTP request like this:
GET /?x=eyJwcmV2aW91c0Nvbm5lY3Rpb25zIjoiW3tcIkFkZHJlc3NcIjpcIllPVVJfU0VSVkVSXCIsXCJQYXNzd29yZFwiOlwiWU9VUl9QQVNTV09SRCFcIixcImRhdGVcIjpcIjIwMjEtMDItMjBUMDY6MjU6MDEuNDAxWlwifV0ifQ== HTTP/1.1
Impact
An attacker could use this to exfiltrate RCON passwords of anyone using the Facepunch RCON service.
Summary
There is a cross-site scripting vulnerability when loading messages sent from the RCON panel. An attacker can deploy a Rust server, add the poisoned XSS message to the Rust chat, then trick a victim into automatically logging in and loading in the poisoned message which has the capability to retrieve the stored server credentials in the "localStorage" object.
Steps to Reproduce - alert prompt
Steps to Reproduce - exfiltrating password
An attacker could host the following script on their HTTP server...
Which would be stored on the service by sending the following message with the script source pointed towards the attacker controlled script...
Then, once the message has been sent to their own server, tricking a victim into loading the payload via the following attacker controlled page:
Which would exfiltrate the password by sending an HTTP request like this:
Impact
An attacker could use this to exfiltrate RCON passwords of anyone using the Facepunch RCON service.