|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
on *:TEXT:!page*:#:{
write page.txt Page By $nick $+ : $2-
msg $chan Page added $nick
}
i don't really output the result of the page.txt to the channel at all, but i just want to make sure im safe
|
|
|
|
Joined: Dec 2002
Posts: 2,033
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,033 |
Someone could type... edited by authorThat could cause you some problems.
Last edited by RoCk; 16/09/07 03:03 PM.
|
|
|
|
Joined: Jan 2006
Posts: 111
Vogon poet
|
Vogon poet
Joined: Jan 2006
Posts: 111 |
No, this text event (or better: this write statement) cannot be exploited. But, in another event where you're gonna read the page, you MUST use the n parameter (like in $read(page.txt, n, ....) to prevent any commands in the page text being evaluated.
Edit: I just read Rock's reply. I am not sure whether $findfile is being eveluated during a write operation, but if so he is right that it can be dangerous! Test this one carefully, but replace the remove command in the timer by some echo command, otherwise you're in trouble.
Last edited by noMen; 16/09/07 02:55 PM.
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
hmm wow rock, i will test that fr the exploit
|
|
|
|
Joined: Dec 2002
Posts: 2,033
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,033 |
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...
write page.txt Page By $nick $+ : $eval($2-,2)
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
Like RoCk said, that could easily remove your files.
**Be careful NOT to test what he showed you. If you want to test it, change "remove" to "echo".
You may want to prevent problems by automatically removing $'s, but I'm not sure of a better solution or if that catches all possible problems.
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...
write page.txt Page By $nick $+ : $eval($2-,2) I tested it by just changing "remove" to "echo" to make sure nothing was removed and it did echo all of the found files.
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
ok guys, thanks
so this seems perfectly safe. just wanted to make sure!
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
I didn't say it was safe...
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
rock why did you remove that code, i wanted to test it for exploit
can someone please paste the $findfile thing again?
|
|
|
|
Joined: Sep 2005
Posts: 2,881
Hoopy frood
|
Hoopy frood
Joined: Sep 2005
Posts: 2,881 |
That can't be exploited.
The main things you have to watch out for are $readini, $read, /scon, /scid, /flash and /timer. If you $read() that file without using the 'n' flag, then identifiers within the file will be evaluated, which means people could use $findfile() to execute commands.
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
Then why did it work with changing remove to echo?
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Sep 2005
Posts: 2,881
Hoopy frood
|
Hoopy frood
Joined: Sep 2005
Posts: 2,881 |
Eh? There isn't a remove command in his original post
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
riamus can you please put that $findfile line up again? so i can test it myself?
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
RoCk gave an example of how it can be exploited.
Last edited by Riamus2; 16/09/07 03:34 PM.
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
PM me the exploit please, thanks. he edited his post to remove it and when i didnt have it pasted before
|
|
|
|
Joined: Sep 2005
Posts: 2,881
Hoopy frood
|
Hoopy frood
Joined: Sep 2005
Posts: 2,881 |
Nothing in the user's text is evaluated, so it cannot be exploited. IF he was using $eval($2-,2), then of course people would be able to exploit it by using $findfile(), but as it is now it's perfectly now.
|
|
|
|
Joined: Oct 2004
Posts: 8,330
Hoopy frood
|
Hoopy frood
Joined: Oct 2004
Posts: 8,330 |
Then why did it work for me? Or is that just because of doing it from the editbox?
**EDIT: which it probably is now that I'm thinking about it.
Last edited by Riamus2; 16/09/07 03:13 PM.
Invision Support #Invision on irc.irchighway.net
|
|
|
|
Joined: Sep 2005
Posts: 2,881
Hoopy frood
|
Hoopy frood
Joined: Sep 2005
Posts: 2,881 |
Just to show you.. (16:12:58) * Now talking in #hixxytest (16:13:26) <hixxy_> !page $findfile(c:,*,1,msg #hixxytest t!) (16:13:28) <@hixxy> Page added hixxy_ No 't!' there. Edit: Then why did it work for me? Or is that just because of doing it from the editbox?
**EDIT: which it probably is now that I'm thinking about it. Are you using Rock's version? Which uses $eval($2-,2) instead of just $2-?
Last edited by hixxy; 16/09/07 03:14 PM.
|
|
|
|
Joined: Oct 2005
Posts: 827
Hoopy frood
|
OP
Hoopy frood
Joined: Oct 2005
Posts: 827 |
i just tried
!page $findfile($left($mircdir,3),*,0,.timer -io 1 0 echo -a $qt($1-))
it didnt echo anything on my script
|
|
|
|
|
|
|
|