Shoutbox

If we avoided tags to imply the hability to run inner commands we would stop some plugins and home-made aliases to work, so I don't see any other solution than warning when system files or executables are going to be runned.
Optionally: "Don't warn me again for this file"

The execution by short codes isn’t the problem, the execution with (!N) should be prohibited. This one should only be intended to display some-one`s nickname...

Why not sterilise the (!N) command? this is the only one that would need modifying as its the only one that a remote attacker could use. For example in PHP there is a command that lets you stop variables being executed as variables and just shown how they are. Couldnt this be possible with MP3?

<?PHP
$a = "blah";
echo "$a";
echo "\n";
echo '$a';
?>

would return:

blah
$a

----

Anyway, not to parse (!N) content would be a good solution to avoid contact running random commands remotely.

Zero1: tell the contact to write (!IP) instead much easier.

Anyway, I know that if I told someone to write '/run [whatever]' they'd do... so the problem would be solved but not completely. The social engineering would still exist (and newbies, too).

Not sure if that would help a lot

Yes, the addslashes command was what i was using as an example
You could tell someone to execute that command on its own, but it could look a little suspicious. I dont want to post anything that could be actually used - but there are more dangerous things that can be done than the ip command. The point is most people would probably not look at that name twice, and then it would be too late.

or worse: after they tell you to type (!N) they could change their nicknames so it looks less suspicious.

quote:

---

Originally posted by Zero1
but there are more dangerous things that can be done than the ip command

---

lol, obviously.

I still think the warning methos would be the best and most easy way around it.

But I can't see a use for parsing nicknames, so killing that would also be a solution

Personally, the only reason why the /run command would be left in there is because you want a quick way to execute something without using your mouse.... ( windows key + r is a great alternative ).

Other use is that you have scripted some commands, or launching programs with msgplus vars.

But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.

quote:

---

Originally posted by timothy
But I dont see why plugin creators would rely on the /run command, because If you know how to program you also know how to launch a program.

---

I rather meant aliases

The use for some plugins would need to parse anything inside a tag. If we disabled that some would not work. I guess,

I would suggest this:

• Disable (!N) parsing.
  
• Show a warning before using /run for the first time (or with a "don't show me this again" checkbox).

But it's up to Patchou whether or not to do it

So the threat is actually there? That's some damn buisness. So in laymens (simple) terms what is the problem?