The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it.
What's the script?
(Sorry about the double post)
It's not a public script that you've heard of, if that is what you were hoping. It was written by Lep, and my server is the only one running it currently.
The script my server runs is protected against illegal characters (anyone who uses one gets ipbanned instantly), and it's not hard for anyone else who is making a script or a server to add protection for it.
What's the script?
(Sorry about the double post)
It's not a public script that you've heard of, if that is what you were hoping. It was written by Lep, and my server is the only one running it currently.
I'll write a public version of the same thing tomorrow. Tonight I need to study.
allowed = "abcedfghijklmnopqrstuvwxyz01234567890 " #Add whatever symbols are allowed here, too lazy to check myself.
for x in chatmessage:
if not (x in allowed or x.lower() in allowed):
[somehow ipban the user]
Yes, but AFAIK we need not worry about any of the unicode ones in general chat as those are meant to be broadcasted *from* the server only. So we're looking at all the unbolded stuff.
I have made a standalone version of the fix Andrew's talking about, but I still need to do some debugging (some strange errors popping up) so yeah, please wait.
By installing any of the Modifications/Plugin you will be unable to automaclly update your Hyvebuild copy by doing SVN Update. You will need to manually do the update.
I have made a standalone version of the fix Andrew's talking about, but I still need to do some debugging (some strange errors popping up) so yeah, please wait.
By installing any of the Modifications/Plugin you will be unable to automaclly update your Hyvebuild copy by doing SVN Update. You will need to manually do the update.
So... is this an attempt to get some people register @ your forum?
It is totally guest-welcome. Anyways I will post it here.
Original mod by Mizuho-chan AKA Cirno-chan, requested by AndrewPH, latest edited (and probably) improved version by tyteen4a03.
TODO: Also implement filter for Ideas, Feedback and Reports (I have no idea what they do so yeah)
This is only a rough release, and may have some bugs. Please report them here or on Minecraft forum. If it is smoe indentation error, sorry but I suck at them :tongue.gif:
Before you do anything else put the wordfilter.conf in the same folder as where your server.conf is in.
Download the file, put the wordfilter.conf in. DO NOT REPLACE YOUR SERVER.PY WITH THE ONE IN THE ZIP OR THINGS WILL NOT WORK CORRECTLY
Edits: (all located in myne/server.py)
1. Find:
self.config = ConfigParser()
Add below:
self.wordfilter = ConfigParser()
2. Find:
else:
self.irc_relay = None
Add below:
####Cirno-chan hijack lol####
#Read the word filter
self.wordfilter.read("wordfilter.conf")
self.filter = []
number = int(self.wordfilter.get("filter","count"))
for x in range(number):
self.filter = self.filter + [[self.wordfilter.get("filter","s"+str(x)),self.wordfilter.get("filter","r"+str(x))]]
####Cirno-chan hijack end####
####Cirno-chan hijack lol####
#Hopefully prevent the "bomb", and apply the word filter.
def messagestrip(factory,message):
strippedmessage = ""
for x in message:
if ord(str(x)) < 128:
strippedmessage = strippedmessage + str(x)
message = strippedmessage
for x in factory.filter:
rep = re.compile(x[0], re.IGNORECASE)
message = rep.sub(x[1], message)
return message
####Cirno-chan hijack end####
OLD as hell. REALLY old. I first saw it at TA, as I accidentally crashed everybody through unicode like "§" when I didn't type ! correctly.
That was like 6 or so months ago, maybe more. It only wasn't reported.
Did you even read the thread? I clearly state that the bug is old but the method of delivery is new, now not restricted to server admins. That is what makes this alarming.
Did a fresh round of testing tonight. Almost all servers marked vulnerable originally still are. Come on admins, are you ignoring this? It *will* bite you in the ****.
Did a fresh round of testing tonight. Almost all servers marked vulnerable originally still are. Come on admins, are you ignoring this? It *will* bite you in the ****.
Glad I got it out of the way before it was very well known.
Did a fresh round of testing tonight. Almost all servers marked vulnerable originally still are. Come on admins, are you ignoring this? It *will* bite you in the ****.
Glad I got it out of the way before it was very well known.
Can't hack my CTF. I learned my lesson quite quickly, someone did it in the middle of a game right after this thread was posted.
Really guys, this should take about 5 lines of code to fix.
It's not a public script that you've heard of, if that is what you were hoping. It was written by Lep, and my server is the only one running it currently.
I'll write a public version of the same thing tomorrow. Tonight I need to study.
Should take all of 1 second to implement.
Here are your legal characters.
Yes, but AFAIK we need not worry about any of the unicode ones in general chat as those are meant to be broadcasted *from* the server only. So we're looking at all the unbolded stuff.
The easiest way to solve the issue, is to block in the following conditions:
That's what we did for MinerCPP, which made it immune to such an exploit.
Astute observation.
Edit - FTFY
Edit2 - Leaving out the third one is justified, see last post.
Try this :wink.gif:
I edited my message before you posted that (or shortly after) :wink.gif:.
And I left out the third one. Yes, there's a reason.
Now I have to study before I pass out, I can already barely think.
Anyways if anyone wants it now here it is: http://wonder.hk-diy.net/forum/showthread.php?t=94
By installing any of the Modifications/Plugin you will be unable to automaclly update your Hyvebuild copy by doing SVN Update. You will need to manually do the update.
#minecrafthelp Channel Manager
<@Notch> whoa, rude language, behave
<@LG_Legacy> Oh relax notch, I'm never serious >_>
<@Notch> I DON'T CARE!!
@Notch runs away, crying
<@LG_Legacy> I made god cry? o_O"
It is totally guest-welcome. Anyways I will post it here.
Original mod by Mizuho-chan AKA Cirno-chan, requested by AndrewPH, latest edited (and probably) improved version by tyteen4a03.
TODO: Also implement filter for Ideas, Feedback and Reports (I have no idea what they do so yeah)
This is only a rough release, and may have some bugs. Please report them here or on Minecraft forum. If it is smoe indentation error, sorry but I suck at them :tongue.gif:
Before you do anything else put the wordfilter.conf in the same folder as where your server.conf is in.
http://nanohatakamachi.x10hosting.com/?a=contentpage&p=mynewf
Download the file, put the wordfilter.conf in. DO NOT REPLACE YOUR SERVER.PY WITH THE ONE IN THE ZIP OR THINGS WILL NOT WORK CORRECTLY
Edits: (all located in myne/server.py)
1. Find:
Add below:
2. Find:
Add below:
3. Find def sendMessages
Replace whole def with
(too big so I put it in pastebin) http://tyteen4a03.pastebin.com/Qc2YjyFN
4. Find def __del__(self):
Add below the def:
#minecrafthelp Channel Manager
<@Notch> whoa, rude language, behave
<@LG_Legacy> Oh relax notch, I'm never serious >_>
<@Notch> I DON'T CARE!!
@Notch runs away, crying
<@LG_Legacy> I made god cry? o_O"
Fixed.
#minecrafthelp Channel Manager
<@Notch> whoa, rude language, behave
<@LG_Legacy> Oh relax notch, I'm never serious >_>
<@Notch> I DON'T CARE!!
@Notch runs away, crying
<@LG_Legacy> I made god cry? o_O"
You're correct. I must have been tired out of my mind last night, and I still am. Time to sleep.
I'll add this to my simple fList beater code. In the interim, use that code.
That's the new fList beater with protection against this. If someone could test that it would be nice, as I haven't tested yet.
http://pastebin.org/163463
New CMSS, not vulnerable.
Note that neither of these have been tested on a server or even just locally. Use at your own risk, and report any errors. :smile.gif:
Did you even read the thread? I clearly state that the bug is old but the method of delivery is new, now not restricted to server admins. That is what makes this alarming.
Glad I got it out of the way before it was very well known.
Can't hack my CTF. I learned my lesson quite quickly, someone did it in the middle of a game right after this thread was posted.
Really guys, this should take about 5 lines of code to fix.