search

pvpgn / pvpgn-server

Next generation of PvPGN server
https://pvpgn.pro
GNU General Public License v2.0
556 stars 155 forks source link

Social Engineering #325

Open StevenFredette opened 7 years ago

StevenFredette commented 7 years ago

This is a trick you can play on other people to expose their IP. If you type "//d %r" It will expose your IP in the channel! %a = number of registered accounts on the server %c = number of currently existent channels %g = total number of currently running games %G = games of users with same client tag %h = hostname of the server %H = contact name (as set in bnetd.conf) %i = userid of the user %l = username %N = name of the game the user has connected with %m = check user's mail when they login %r = IP of the user %t = client tag of the user %u = number of users currently logged in %U = users logged in with the same client tag %v = server version

Edelmetall2k commented 6 years ago

Isnt that only the case for Admin accounts?

RElesgoe commented 6 years ago

@Edelmetall2k I believe so

StevenFredette commented 6 years ago

It's the alias doubt command and no admin access needed.

cen1 commented 5 years ago

Hmm taking a closer look at this, I believe the core of the problem are the aliases which take an argument since the argument can be a placeholder var described by the op. We don't really want to remove the replacement functionality (can be useful) so my suggestion is to:

  1. Remove the default aliases from bnalias.conf.in which take an argument so in default install there is no "exploit".
  2. Add a warning to the bnalias.conf.in to server admins who want to use the functionality (document that variable substitution does work on arguments)

@RElesgoe ?