InterVi
Member
Posts: 32 Joined: Wed Jul 05, 2017 08:22
GitHub:
InterVi
IRC: InterVi
In-game: InterVi
Location: Russia, Moscow
Contact:
by InterVi » Tue Dec 19, 2017 15:52
Post
This mod add game terminal for execute shell commands. Please, use
screen or other utility for long execute.
WARNING! This mod creates a potential backdoor! Do not give users of privileges for this mod!
Commands and privs
/shell - open terminal window (need shell_cmd priv)
/shell-clear - clear terminal history (need shell_clear priv)
Depends
Links
azekill_DIABLO
Member
Posts: 7507 Joined: Wed Oct 29, 2014 20:05
GitHub:
azekillDIABLO
In-game: azekill_DIABLO
Location: OMICRON
Contact:
by azekill_DIABLO » Tue Dec 19, 2017 16:27
Post
Awesome! I'll try to merge it to computers mod!
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
rubenwardy
Moderator
Posts: 6972 Joined: Tue Jun 12, 2012 18:11
GitHub:
rubenwardy
IRC: rubenwardy
In-game: rubenwardy
Location: Bristol, United Kingdom
Contact:
by rubenwardy » Thu Dec 21, 2017 03:11
Post
azekill_DIABLO wrote: Awesome! I'll try to merge it to computers mod!
No no no no no. No. NO. NOOOOOOOO.
N O N O N O
O
N
O
N
O
TumeniNodes
Member
Posts: 2941 Joined: Fri Feb 26, 2016 19:49
GitHub:
TumeniNodes
IRC: tumeninodes
In-game: TumeniNodes
Location: in the dark recesses of the mind
Contact:
by TumeniNodes » Thu Dec 21, 2017 03:36
Post
rubenwardy wrote:
No no no no no. No. NO. NOOOOOOOO.
N O N O N O
O
N
O
N
O
translation: No
Definition of No: To not
A Wonderful World
twoelk
Member
Posts: 1482 Joined: Fri Apr 19, 2013 16:19
GitHub:
twoelk
IRC: twoelk
In-game: twoelk
Location: northern Germany
by twoelk » Thu Dec 21, 2017 16:35
Post
TumeniNodes wrote: rubenwardy wrote:
No no no no no. No. NO. NOOOOOOOO.
N O N O N O
O
N
O
N
O
translation: No
Definition of No: To not
looks like a pattern to fill area with liquids in minetest to me
the mod yells
danger ! though
how secure is it?
azekill_DIABLO
Member
Posts: 7507 Joined: Wed Oct 29, 2014 20:05
GitHub:
azekillDIABLO
In-game: azekill_DIABLO
Location: OMICRON
Contact:
by azekill_DIABLO » Thu Dec 21, 2017 16:37
Post
rubenwardy wrote: azekill_DIABLO wrote: Awesome! I'll try to merge it to computers mod!
No no no no no. No. NO. NOOOOOOOO.
N O N O N O
O
N
O
N
O
Yes yes yes yes yes. Yes! Yes! YES! YEEEEEES!
Y E S Y E S
E E S Y E S
S S S Y E S
Y Y Y Y E S
E E E E E S
S S S S S S
Gone, but not dead. Contact me on discord: azekill_DIABLO#6565
DMs are always open if you want to get in touch!
sofar
Developer
Posts: 2146 Joined: Fri Jan 16, 2015 07:31
GitHub:
sofar
IRC: sofar
In-game: sofar
by sofar » Thu Dec 21, 2017 18:48
Post
rm -f map.sqlite
sofar
Developer
Posts: 2146 Joined: Fri Jan 16, 2015 07:31
GitHub:
sofar
IRC: sofar
In-game: sofar
by sofar » Thu Dec 21, 2017 18:55
Post
Post updated to reflect this mod had a vulnerability before
This mod had a significant code vulnerability, and, when installed on a server, could allow any attacker without the needed privileges to execute any shell command on the server.
sofar wrote:
I haven't verified my claims, but it is obvious that the formspec code does not bother to validate the permissions in the code that handles the formspec recieve data, and thus, it is wide open to any attacker. It would take me 15 minutes to build an exploit, at most.
This needs to be fixed immediately, or else people running this code on a server will lose all their data.
Code: Select all
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
InterVi
Member
Posts: 32 Joined: Wed Jul 05, 2017 08:22
GitHub:
InterVi
IRC: InterVi
In-game: InterVi
Location: Russia, Moscow
Contact:
by InterVi » Thu Dec 21, 2017 20:42
Post
fixed
sofar
Developer
Posts: 2146 Joined: Fri Jan 16, 2015 07:31
GitHub:
sofar
IRC: sofar
In-game: sofar
by sofar » Thu Dec 21, 2017 21:00
Post
I agree that should be a proper fix. I have not validated that it fixes the problem, since I have not created a working exploit either, so I can't validate it. However, based on code inspection this does the correct thing.
Anyone running this mod should immediately update to the latest version, or remove the old version.
sorcerykid
Member
Posts: 1841 Joined: Fri Aug 26, 2016 15:36
GitHub:
sorcerykid
In-game: Nemo
Location: Illinois, USA
by sorcerykid » Thu Dec 21, 2017 22:30
Post
It is cases like this that I really wish Lua had data tainting options like Perl.
Users browsing this forum: No registered users and 16 guests