What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Messenger Plus! for Live Messenger » WLM Plus! General » Whats up with this?

Pages: (4): « First « 1 2 [ 3 ] 4 » Last »
Whats up with this?
Author: Message:
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: Whats up with this?
If we avoided tags to imply the hability to run inner commands we would stop some plugins and home-made aliases to work, so I don't see any other solution than warning when system files or executables are going to be runned.
Optionally: "Don't warn me again for this file"
07-08-2004 05:29 PM
Profile E-Mail PM Web Find Quote Report
timothy
Junior Member
**

Avatar

Posts: 22
40 / Male / –
Joined: Oct 2002
RE: Whats up with this?
The execution by short codes isn’t the problem, the execution with (!N) should be prohibited. This one should only be intended to display some-one`s nickname...
07-08-2004 05:32 PM
Profile E-Mail PM Web Find Quote Report
Zero1
Junior Member
**


Posts: 15
Joined: Jul 2003
RE: Whats up with this?
Why not sterilise the (!N) command? this is the only one that would need modifying as its the only one that a remote attacker could use. For example in PHP there is a command that lets you stop variables being executed as variables and just shown how they are. Couldnt this be possible with MP3?
[Image: fetch.php]
07-08-2004 05:33 PM
Profile E-Mail PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: Whats up with this?
<?PHP
$a = "blah";
echo "$a";
echo "\n";
echo '$a';
?>

would return:

blah
$a

----

Anyway, not to parse (!N) content would be a good solution to avoid contact running random commands remotely.

Zero1: tell the contact to write (!IP) instead ;) much easier.

Anyway, I know that if I told someone to write '/run [whatever]' they'd do... so the problem would be solved but not completely. The social engineering would still exist (and newbies, too).

Not sure if that would help a lot :-/
07-08-2004 05:45 PM
Profile E-Mail PM Web Find Quote Report
Zero1
Junior Member
**


Posts: 15
Joined: Jul 2003
RE: Whats up with this?
Yes, the addslashes command was what i was using as an example
You could tell someone to execute that command on its own, but it could look a little suspicious. I dont want to post anything that could be actually used - but there are more dangerous things that can be done than the ip command. The point is most people would probably not look at that name twice, and then it would be too late.

This post was edited on 07-08-2004 at 05:50 PM by Zero1.
[Image: fetch.php]
07-08-2004 05:48 PM
Profile E-Mail PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: Whats up with this?
or worse: after they tell you to type (!N) they could change their nicknames so it looks less suspicious.
quote:
Originally posted by Zero1
but there are more dangerous things that can be done than the ip command
lol, obviously. ;)

I still think the warning methos would be the best and most easy way around it.

But I can't see a use for parsing nicknames, so killing that would also be a solution :)
07-08-2004 05:57 PM
Profile E-Mail PM Web Find Quote Report
timothy
Junior Member
**

Avatar

Posts: 22
40 / Male / –
Joined: Oct 2002
RE: Whats up with this?
Personally, the only reason why the /run command would be left in there is because you want a quick way to execute something without using your mouse.... ( windows key + r is a great alternative ).

Other use is that you have scripted some commands, or launching programs with msgplus vars.

But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.
07-08-2004 06:04 PM
Profile E-Mail PM Web Find Quote Report
KeyStorm
Elite Member
*****

Avatar
Inn-sewer-ants-pollie-sea

Posts: 2156
Reputation: 45
38 / Male / –
Joined: Jan 2003
RE: Whats up with this?
quote:
Originally posted by timothy
But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.

I rather meant aliases ;)

The use for some plugins would need to parse anything inside a tag. If we disabled that some would not work. I guess,
07-08-2004 06:44 PM
Profile E-Mail PM Web Find Quote Report
lopardo
Veteran Member
*****


Posts: 1395
Reputation: 33
38 / Male / Flag
Joined: Nov 2002
Status: Away
RE: Whats up with this?
I would suggest this:
  • Disable (!N) parsing.
  • Show a warning before using /run for the first time (or with a "don't show me this again" checkbox).

But it's up to Patchou whether or not to do it :)
[Image: userbar452797dd.gif]
07-08-2004 07:06 PM
Profile PM Find Quote Report
GiantSpider
Veteran Member
*****

Avatar

Posts: 1435
Reputation: 21
34 / Male / Flag
Joined: Sep 2003
O.P. RE: Whats up with this?
So the threat is actually there? That's some damn buisness. So in laymens (simple) terms what is the problem?
07-08-2004 07:06 PM
Profile PM Find Quote Report
Pages: (4): « First « 1 2 [ 3 ] 4 » Last »
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On