diff --git a/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml b/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml new file mode 100644 index 0000000..bb8134e --- /dev/null +++ b/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml @@ -0,0 +1,47 @@ +@page "/psa/binaryformatter" + +
+ This application is using an insecure method to read and write data, and needs to be updated + immediately. +
++ If you are seeing this message, it means you loaded a payload that I crafted to exploit this vulnerability. Be + fortunate, because I could have done much worse including stealing your data or installing malware on your + computer. +
++ If you're seeing this because you loaded my data from a game, this means it's possible for an attacker to craft + a save file that can, for example, steal your Steam credentials and send them to a remote server. Just because + you loaded - what seemed to be - a save file! +
++ Do not load any more data into this application until the developer has addressed this issue. +
+
+ BinaryFormatter
is a .NET class that is used to serialize and deserialize data such as game saves
+ or configuration files. However, it was discovered that this class is vulnerable to remote code execution when
+ deserializing untrusted data.
+
+ Please update your application to use a different serialization method. +
++ For more information, please read the + + official security notice + + from Microsoft. +
+