Someone uploaded an add-on containing the common library Support_AdminEvents.cs in it to BLG. The system automatically picked up an Eval command, and while looking at it, I saw it had a large vulnerability. Discussion with the author revealed that this is widely used.
The code of issue is as follows:
function serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4)
{
//Define aLevel based on whether the client is host, super admin, admin, or none
if(%client.bl_id == getNumKeyID())
%aLevel = 3;
else if(%client.isSuperAdmin)
%aLevel = 2;
else if(%client.isAdmin)
%aLevel = 1;
else
%aLevel = 0;
//Get more information about what event the client chose
%class = getWord(getField($InputEvent_TargetListfxDTSBrick_[%input],%a),1);
eval("%name = $OutputEvent_Name" @ %class @ "_" @ %output @ ";");
%reqLevel = $AdminOutputEvent[%class,%name];
//Does the client have sufficient priviledges to use this event?
if(%reqLevel &rt; %aLevel)
messageClient(%client,'','You do not have a sufficient admin level to use the event %1::%2. It has been removed from your brick.',%class,%name);
else
Parent::serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4);
}
As you can see, %output is completely exposed. For example:
/addEvent delay input target a b output;quit()
Would turn in to %name = $OutputEvent_NameSomeClass_output;quit();, which would obviously shut down the server.
Scripters, please review your add-ons. You can replace the entire line of the eval with the following:
%name = $OutputEvent_Name[%class @ "_" @ %output];