Normal users can issue CMDs
Bug #1030613 reported by
Fredrik Ullner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ADCH++ |
Fix Released
|
High
|
Unassigned | ||
DC++ |
Fix Released
|
High
|
Unassigned |
Bug Description
Any client may send a CMD (only B-type tested) to the hub, distributing it to any user. If done in a bot, you can effectively send tens or hundreds of these, and a receiving client will be forced to manage them, thus potentially causing a DoS scenario.
Generate the following user command in DC++ to test yourself;
Command type: Raw
Context: Hub menu
Name: RogueCommand
Command: BCMD %[mySID] Security\
Hub address: adc://
(Above command should obviously be followed by a new line.)
The hub should ignore any CMD originating from a user. Potentially allow CMDs from trusted users.
Changed in dcplusplus: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in adchpp: | |
importance: | Undecided → High |
Changed in dcplusplus: | |
status: | Confirmed → In Progress |
tags: | added: win32-ui |
tags: |
added: core removed: win32-ui |
To post a comment you must log in.
Added DC++ to the report since DC++ doesn't overwrite the command but keeps adding it