atenfyr
commented
9 years ago The same issues seems to come into play with getfenv(read) aswell. Take a look at this aswell, it's the same as the _G exploit but with getfenv() (and presumably setfenv).
Open atenfyr opened 9 years ago
In Quest, the fs and os APIs are not included in LuaScript for security reasons, however the _G table is. If either of these apis are preceded with "_G.", the apis will be unlocked to their full potential, therefor pretty much breaking the sandbox entirely.
For example, this file when viewed via Quest will download a file that prints a message on boot. This exploit could get extremely dangerous if the computer running the malicious webpage is a command computer.