Login
User Name:

Password:



Register
Forgot your password?
Vote for Us!
tintin++ ogg sound player script for linux
Author: Robert Smith
Submitted by: Vladaar
6Dragons ogg Soundpack
Author: Vladaar
Submitted by: Vladaar
6Dragons 4.4
Author: Vladaar
Submitted by: Vladaar
LoP 1.46
Author: Remcon
Submitted by: Remcon
LOP 1.45
Author: Remcon
Submitted by: Remcon
Users Online
CommonCrawl, Bing

Members: 0
Guests: 3
Stats
Files
Topics
Posts
Members
Newest Member
481
3,734
19,366
618
Micheal64X
Today's Birthdays
Vintar (28)
Related Links
» SmaugMuds.org » Bugfix Lists » AFKMud Bugfix List » AFKMud Bug Archive » [Bug] setdeity command does s...
Forum Rules | Mark all | Recent Posts

[Bug] setdeity command does some insecure things
< Newer Topic :: Older Topic > AFKMud 1.76a

Pages:<< prev 1 next >>
Post is unread #1 Oct 29, 2005, 5:05 pm   Last edited Nov 13, 2005, 8:49 am by Samson
Go to the top of the page
Go to the bottom of the page

Samson
Black Hand
GroupAdministrators
Posts3,643
JoinedJan 1, 2002

Bug: setdeity command does some insecure things
Discovered in: AFKMud 1.76a
Danger: Medium - Possible data corruption
Found by: Remcon
Fixed by: Remcon

---

deity.c, do_setdeity

Locate:
   argument = one_argument( argument, arg1 );
   argument = one_argument( argument, arg2 );


Above that, add:
   smash_tilde( argument );


Locate:
   if( !str_cmp( arg2, "name" ) )
   {
      STRFREE( deity->name );
      deity->name = STRALLOC( argument );
      send_to_char( "Done.\n\r", ch );
      save_deity( deity );
      return;
   }


Change to:
   if( !str_cmp( arg2, "name" ) )
   {
      DEITY_DATA *udeity;

      if( !argument || argument[0] == '\0' )
      {
         send_to_char( "You can't set a deity's name to nothing.\r\n", ch );
         return;
      }
      if( ( udeity = get_deity( argument ) ) )
      {
         send_to_char( "There is already another deity with that name.\r\n", ch );
         return;
      }
      STRFREE( deity->name );
      deity->name = STRALLOC( argument );
      send_to_char( "Done.\r\n", ch );
      save_deity( deity );
      return;
   }


Locate:
   if( !str_cmp( arg2, "filename" ) )
   {
      DISPOSE( deity->filename );
      deity->filename = str_dup( argument );
      send_to_char( "Done.\n\r", ch );
      save_deity( deity );
      write_deity_list(  );
      return;
   }


Change to:
   if( !str_cmp( arg2, "filename" ) )
   {
      char filename[256];

      if( !argument || argument[0] == '\0' )
      {
         send_to_char( "You can't set a deity's filename to nothing.\r\n", ch );
         return;
      }
      snprintf( filename, 256, "%s%s", DEITY_DIR, deity->filename );
      if( !remove( filename ) )
         send_to_char( "Old deity file deleted.\r\n", ch );
      DISPOSE( deity->filename );
      deity->filename = str_dup( argument );
      send_to_char( "Done.\r\n", ch );
      save_deity( deity );
      write_deity_list( );
      return;
   }


Like the makedeity command, input isn't being properly validated on the setdeity command and is therefore vulnerable to some classic security problems because of it. Having your data deleted accidentally ( or on purpose ) because of dumb bugs like this just sucks.
       
Pages:<< prev 1 next >>