diff --git a/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml b/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml new file mode 100644 index 0000000..bb8134e --- /dev/null +++ b/OliverBooth/Pages/PublicServiceAnnouncement/BinaryFormatter.cshtml @@ -0,0 +1,47 @@ +@page "/psa/binaryformatter" + +
+

⚠️ Stop! This application is unsafe!

+

+ This application is using an insecure method to read and write data, and needs to be updated + immediately. +

+
+ +
+

I'm a user, what does this mean?

+

+ If you are seeing this message, it means you loaded a payload that I crafted to exploit this vulnerability. Be + fortunate, because I could have done much worse including stealing your data or installing malware on your + computer. +

+

+ If you're seeing this because you loaded my data from a game, this means it's possible for an attacker to craft + a save file that can, for example, steal your Steam credentials and send them to a remote server. Just because + you loaded - what seemed to be - a save file! +

+
+

+ Do not load any more data into this application until the developer has addressed this issue. +

+
+ +
+

I'm a developer, can you explain more?

+

+ BinaryFormatter is a .NET class that is used to serialize and deserialize data such as game saves + or configuration files. However, it was discovered that this class is vulnerable to remote code execution when + deserializing untrusted data. +

+

+ Please update your application to use a different serialization method. +

+
+

+ For more information, please read the + + official security notice + + from Microsoft. +

+