collapse collapse
* User Info
 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?
* Search

* Board Stats
  • stats Total Members: 987
  • stats Total Posts: 18341
  • stats Total Topics: 2493
  • stats Total Categories: 7
  • stats Total Boards: 33
  • stats Most Online: 500

Author Topic: !news security?  (Read 3144 times)

0 Members and 1 Guest are viewing this topic.

Offline uberjon

  • BeBot User
  • **
  • Posts: 32
  • Karma: +0/-0
!news security?
« on: May 14, 2011, 08:28:44 pm »
A while back I had an issue with a guild member, adding random crap to the guild news. Rather  than let him annoy everyone, I proceeded to edit the command permissions

Code: [Select]
$this -> register_command('all', 'news', 'GUEST', array('add'=>'MEMBER'));
$this -> register_command('all', 'headline', 'GUEST', array('add'=>'ADMIN'));
(lines 70-71)

to something like:

Code: [Select]
$this -> register_command('all', 'news', 'GUEST', array('add'=>'ADMIN'));
$this -> register_command('all', 'headline', 'GUEST', array('add'=>'ADMIN'));

Simple fix, right? Nope.. to my amazement somehow, he was still able to add news as he pleased, without being an admin on the bot. Long story short, I disabled the module for a while (was busy). And recently took a look..

Code: [Select]
function command_handler($name, $msg, $origin)
{
$com = $this->parse_com($msg);
switch($com['com'])
{
case 'news':
return $this->sub_handler($name, $com, 1);
break;
case 'headline':
return $this->sub_handler($name, $com, 2);
break;
case 'raids':
return $this->sub_handler($name, $com, 3);
break;
default:
$this->error->set("News recieved unknown command '{$com['com']}'.");
return $this->error;
break;
}
}

  function sub_handler($name, $com, $type)
{
switch($com['sub'])
{
case '':
case 'read':
if (($type == 1) || ($type == 2))
return $this->get_news($name);
else
return $this->get_raids($name);
break;
case 'add':
return $this->set_news($name, $com['args'], $type);
break;
case 'del':
case 'rem':
return $this->del_news($name, $com['args']);
break;
default:
//No keywords recognized. Assume that person in attempting to add news and forgot the "add" keyword
$news = "{$com['sub']} {$com['args']}";
return $this->set_news($name, $news, $type);
break;
}
}

Based on that setup there, a guest (who has access to !news, but not !news add) could 'forget' to use the add portion and default to adding news without re-checking the command permissions!

To fix this, I edited a few things.

replace lines 70-71:
Code: [Select]
$this -> register_command('all', 'news', 'MEMBER', array('del'=>'ADMIN','rem'=>'ADMIN','add'=>'ADMIN'));
$this -> register_command('all', 'headline', 'MEMBER', array('add'=>'ADMIN'));

and replace lines 171-173:

Code: [Select]
// edited to not default to 'add' without checking permissions bad!! //No keywords recognized. Assume that person in attempting to add news and forgot the "add" keyword
return $this->get_news($name);

I hope this may be of some help. (and maybe something similar could be added into the next revision?)

 

* Recent Posts
0.7.x updates for AO by bitnykk
[June 03, 2022, 02:57:13 pm]


0.7.x updates for AoC by bitnykk
[June 03, 2022, 02:57:01 pm]


Website back up and quick status update by bitnykk
[July 30, 2021, 04:56:19 pm]


AO Bots - discord server by bitnykk
[January 31, 2021, 03:50:48 am]


AO public Raidforall by bitnykk
[January 18, 2021, 05:02:22 pm]

* Who's Online
  • Dot Guests: 14
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.
* Forum Staff
bitnykk admin bitnykk
Administrator
Khalem admin Khalem
Administrator
WeZoN gmod WeZoN
Global Moderator
SimplePortal 2.3.7 © 2008-2022, SimplePortal