Author Topic: Open up webpage on client (Clientsided) (Read 2069 times)

DYLANzzz · November 01, 2013, 01:27:10 PM

Without some sort of third party listener program, is this possible?

Ad Bot · Advertisement

Electrk² · November 01, 2013, 02:22:58 PM

Couldn't you use the function for when you click on a link in chat?

Ipquarx · November 01, 2013, 03:10:42 PM

gotoWebPage("http://url.com");

Greek2me · November 01, 2013, 03:36:37 PM

If you want to open up a page in the client's default browser, use goToWebPage.

If you want to display a page in-game, you need to write an HTML parser.

Lugnut · November 01, 2013, 03:56:51 PM

judging by the context, he wants goToWebPage.

god you could be such a richard with that function

Zeblote · November 01, 2013, 03:59:43 PM

Quote from: Lugnut on November 01, 2013, 03:56:51 PM

judging by the context, he wants goToWebPage.

god you could be such a richard with that function

how

Lugnut · November 01, 2013, 04:04:06 PM

Quote from: Zeblote on November 01, 2013, 03:59:43 PM

how

take a wild guess
open it to research websites or something

or have a "convenience" function that opens it directly to the servers website, but allow for arbitrary websites to be pushed through it
that way the server could send people wherever it wants
these no-security-training noobs on the forums would never even think to look for that kind of a vulnerability

Aide33 · November 01, 2013, 04:43:05 PM

Quote from: Lugnut on November 01, 2013, 04:04:06 PM

take a wild guess
open it to research websites or something

or have a "convenience" function that opens it directly to the servers website, but allow for arbitrary websites to be pushed through it
that way the server could send people wherever it wants
these no-security-training noobs on the forums would never even think to look for that kind of a vulnerability

open download links and stuff
uhh
maybe even ads

oh god why are we even saying these things

Zeblote · November 01, 2013, 04:44:38 PM

Quote from: Lugnut on November 01, 2013, 04:04:06 PM

take a wild guess
open it to research websites or something

or have a "convenience" function that opens it directly to the servers website, but allow for arbitrary websites to be pushed through it
that way the server could send people wherever it wants
these no-security-training noobs on the forums would never even think to look for that kind of a vulnerability

it's a client sided function

Lugnut · November 01, 2013, 04:49:55 PM

Quote from: Zeblote on November 01, 2013, 04:44:38 PM

it's a client sided function

so? despite being entirely open source, the add-on system used for blockland is so unmonitored it would be easy to write a mod for "convenience" or some stuff, then leverage it to cause people annoyance

for example, suppose I make a mod that allows server hosters to have people download stuff for their server, like a client side mod or something with a custom gui, specific to that server
easy peasy.

of course, now there's gonna be some people checking these kinds of mods pretty thoroughly.

DYLANzzz · November 01, 2013, 04:55:55 PM

There is a crap-on system for a reason.
But who puts a function that grabs arbitrary links provided by the server? That's like having some sort of function that puts itself directly into eval for "convenience" albeit probably not THAT bad but close.

Why would you even need that functionality (to go to ANY URL from a client mod). If anything, the clientside mod should always use some sort of base domain (like example.com) and perhaps would only tell the client to go to a specific path in that domain (like example.com/bleh, the server would send the client "bleh"). Although there's always the chance for XSS if your site is also vulnerable to that and then someone could craft a link to one of your pages.

Lugnut · November 01, 2013, 05:00:59 PM

Quote from: DYLANzzz on November 01, 2013, 04:55:55 PM

There is a crap-on system for a reason.
But who puts a function that grabs arbitrary links provided by the server? That's like having some sort of function that puts itself directly into eval for "convenience" albeit probably not THAT bad but close.

Why would you even need that functionality (to go to ANY URL from a client mod). If anything, the clientside mod should always use some sort of base domain (like example.com) and perhaps would only tell the client to go to a specific path in that domain (like example.com/bleh, the server would send the client "bleh"). Although there's always the chance for XSS if your site is also vulnerable to that and then someone could craft a link to one of your pages.

damn straight, you need filtering.

simple: if the server host has the custom add-on, they aren't gonna host it somewhere specific (except maybe rtb) (say, that's a good idea, share rtb add-ons) they're gonna host it on their own private server, and if the creator of the convenience mod (by convenience mod, i'm referring to those kinds of mods that allow the server to do stuff on the client, like shaking their screen) were to limit it to some stupid domain, it would be totally useless.

the solution is for the convenience mod to, upon receiving a url open request, pop up a gui that says "hey brah do you want to open this url??? like, don't put your password in and stuff becuz phishing"

but a lot of people aren't bright enough for that
and a lot of people aren't checking to make sure people are doing that

and yes, there is a crap on system, but
A: it would require a lot of effort to discover it and ban it if it was a private convenience mod (find the mod, experience the exploit, reverse engineer the exploit, report the mod to badspot. at least a 2-3 day turnaround, longer if the first people exploited aren't coders and don't know what to look for.)
B: badspot doesn't just spend his day sifting through add-ons for exploits
C: people aren't spending their days sifting through add-ons for exploits so they can report them

DYLANzzz · November 01, 2013, 05:09:55 PM

Ah, I get what you're getting at by convenience mod.
Yeah, that would be quite the security hole.

The other thing though, usually exploits don't come to light until someone actually abuses it. So I assume if it ever became a problem, it could be dealt with.

elm · November 01, 2013, 05:10:00 PM

Quote from: Lugnut on November 01, 2013, 05:00:59 PM

damn straight, you need filtering.

simple: if the server host has the custom add-on, they aren't gonna host it somewhere specific (except maybe rtb) (say, that's a good idea, share rtb add-ons) they're gonna host it on their own private server, and if the creator of the convenience mod (by convenience mod, i'm referring to those kinds of mods that allow the server to do stuff on the client, like shaking their screen) were to limit it to some stupid domain, it would be totally useless.

the solution is for the convenience mod to, upon receiving a url open request, pop up a gui that says "hey brah do you want to open this url??? like, don't put your password in and stuff becuz phishing"

but a lot of people aren't bright enough for that
and a lot of people aren't checking to make sure people are doing that

and yes, there is a crap on system, but
A: it would require a lot of effort to discover it and ban it if it was a private convenience mod (find the mod, experience the exploit, reverse engineer the exploit, report the mod to badspot. at least a 2-3 day turnaround, longer if the first people exploited aren't coders and don't know what to look for.)
B: badspot doesn't just spend his day sifting through add-ons for exploits
C: people aren't spending their days sifting through add-ons for exploits so they can report them

........

Lugnut · November 01, 2013, 05:43:59 PM

Quote from: elm on November 01, 2013, 05:10:00 PM

........

excellent post, 10/10
let me read your mind to figure out what exactly you're getting at oh wait i can't