Forums Scripts & Popups text event q, exploit

i don't really output the result of the page.txt to the channel at all, but i just want to make sure im safe

Someone could type...

edited by author

That could cause you some problems.

No, this text event (or better: this write statement) cannot be exploited. But, in another event where you're gonna read the page, you MUST use the n parameter (like in $read(page.txt, n, ....) to prevent any commands in the page text being evaluated.

Edit: I just read Rock's reply. I am not sure whether $findfile is being eveluated during a write operation, but if so he is right that it can be dangerous! Test this one carefully, but replace the remove command in the timer by some echo command, otherwise you're in trouble.

hmm wow rock, i will test that fr the exploit

I just tested it and it did not work, he would have to use $eval for it to work that way I guess...

write page.txt Page By $nick $+ : $eval($2-,2)

Like RoCk said, that could easily remove your files.

**Be careful NOT to test what he showed you. If you want to test it, change "remove" to "echo".

You may want to prevent problems by automatically removing $'s, but I'm not sure of a better solution or if that catches all possible problems.

I tested it by just changing "remove" to "echo" to make sure nothing was removed and it did echo all of the found files.

ok guys, thanks

so this seems perfectly safe. just wanted to make sure!

I didn't say it was safe...

rock why did you remove that code, i wanted to test it for exploit

can someone please paste the $findfile thing again?

That can't be exploited.

The main things you have to watch out for are $readini, $read, /scon, /scid, /flash and /timer. If you $read() that file without using the 'n' flag, then identifiers within the file will be evaluated, which means people could use $findfile() to execute commands.

Then why did it work with changing remove to echo?

Eh? There isn't a remove command in his original post

riamus can you please put that $findfile line up again? so i can test it myself?

RoCk gave an example of how it can be exploited.

PM me the exploit please, thanks. he edited his post to remove it and when i didnt have it pasted before

Nothing in the user's text is evaluated, so it cannot be exploited. IF he was using $eval($2-,2), then of course people would be able to exploit it by using $findfile(), but as it is now it's perfectly now.

Then why did it work for me? Or is that just because of doing it from the editbox?

**EDIT: which it probably is now that I'm thinking about it.

Just to show you..



No 't!' there.

Edit:



Are you using Rock's version? Which uses $eval($2-,2) instead of just $2-?

i just tried

!page $findfile($left($mircdir,3),*,0,.timer -io 1 0 echo -a $qt($1-))


it didnt echo anything on my script

Ok. I guess I shouldn't assume things work the same from the editbox as they do from a script.

I'm not sure what you mean, how exactly are you getting it to evaluate?

The only way I'd be able to get something to evaluate would be if I typed //say !page $findfile(...), but that's because of the double slashes. The only other way it'd evaluate is if you had an on input event that is evaluating everything an extra time.

Well, I did use // when the Write command (see my example). But I thought scripts did // anyhow.

They do.

But the script would be executing //msg #channel $2-, so the contents of $2- won't be evaluated.

I don't think the // in a (text) event will result in evaluating identifiers. Riamus should test it in an event, not in a command issued to a mirc window.

Obviously it just isn't evaluated in a remote event without intentionally evaluating it with $eval. This must be a security measure that was added at some point.

But PLEASE always use the n parameter in $read and $readini!!! Otherwise a script like !page can be exploited!

This cannot be exploited, because by default, everything will only be evaluated once. This means that $chan is transformed into the channel name, and $2- is transformed into the text after !say. The same thing would happen if you changed msg to /msg or //msg, because that's how remote scripts work. The only way you could make this script exploitable is by adding some code that makes the $2- evaluate an extra time, for example by changing it to:



..because timers evaluate everything once when the timer is started, and then an extra time when the timer fires (ie. after one second in this case). So any $identifiers in the text after !say will be evaluated. /scon, /scid and /flash all behave in this fashion too; they evaluate everything an extra time.

Or:



$eval() is used to control how many times you want something to evaluate. If you decide to evaluate $2- twice, instead of the default (once), then all identifiers within the text will be evaluated.

To explain this with an example, let's say somebody types:



Then $2- will evaluate to:



But if you evaluate it once more, then the $findfile() in that message will also be evaluated. If you evaluated it a third time, then the filename returned by $findfile() would also be evaluated (so if it found a file called "$time", that would evaluate to the time), etc etc.

If you don't already know how evaluation works it can seem complex and daunting, but it's really not that hard to understand.

on *:TEXT:!page*:#:{
if ($istok($2-,|,32) == $true) { msg $chan $+($nick,...) you are using an invalid character }
else {
write page.txt Page By $nick $+ : $remove($2-,/,$)
msg $chan Page added $nick
}
}

Ultimately I would remove the chars | / $ from the picture

That's your preference, but there's no need to do that.