Can you make sprays that are blacklisted for keywords only show clientside? That way those who are aiming to abuse would be unsure if they were hitting the target audience, and only meatspinning themselves.
[QUOTE=Sally;46886195]Can you make sprays that are blacklisted for keywords only show clientside? That way those who are aiming to abuse would be unsure if they were hitting the target audience, and only meatspinning themselves.[/QUOTE]
Already is client side, only website whitelist is server side
[QUOTE=failcake;46886391]Already is client side, only website whitelist is server side[/QUOTE]
I believe he means only show the spray to the person who sprayed it, not sync it to every other client to be displayed
-snip-
CSRF
[QUOTE=Koji6ac9H;46891773]CSRF[/QUOTE]
That would only be an issue if the chrome browser used for Gmod had personal data. IE: You some how logged into a website via the chrome system it uses.
All you gotta do is spray a HTML page with the RCON iframe exploit and result... everyone is banned.
(providing the server still has rcon enabled)
can't you read the headers of the http and make sure that the mimetype is an image?
So, let's clarify some things. I've been watching this thread and helping FailCake fix some of these exploits. I've also been reading up on HTML quirks and how img tags work.
If Awesomium is as good as they claim, the URL in the img tag should be considered an image, whatever it points to (so no CSRF, iframes, whatever). All headers are discarded, unless it's a redirection. That's why I told him to readd whitelists because a webserver could redirect you to somewhere else and it could do stuff besides that (log your IP for example). You wouldn't even need to redirect the client anyway, with your own webserver.
CSRF protection should be handled by target-able websites, not by this script.
Probably meant XSS.
You ought to capture the html into a texture and discard the HTML. It won't stop exploits, and it will break animated sprays, but it's better than having twenty html panels running about.
[editline]10th January 2015[/editline]
You could also opt to make your own server that converts input image data to base64 strings, and return those to the server to distribute to clients.
[editline]10th January 2015[/editline]
or perhaps abuse some existing service that does this
[QUOTE=Willox;46846775]"It's exploitable because you can exploit it and reasons."[/QUOTE]
And within a week, exploits have already been made, which give the user the capability to overwhelm a server's main defenses, and allow them to use exploits similar to the sv_upload exploits.
That didn't take long :v:
well to be fair, you said image files, not the links
but yeah he should at least be cutting off everything after the first ".png", and anything after and including a "?".
I plan to use this for a server I own. Can I consider it generally safe for the DarkRP community, by chance?
[QUOTE=_VeXan;46914766]I plan to use this for a server I own. Can I consider it generally safe for the DarkRP community, by chance?[/QUOTE]
If you have to ask that after reading this thread, then I wouldn't take the chance.
so is this unsafe or something... is it ok to use on servers or does it still have issues with exploits?
two suggestions:
make a simple command like !sprays that opens the menu up.
possibly make it so you can see who sprayed what spray and their steamid, similar to how spraymon does.
Use [img]http://wiki.garrysmod.com/favicon.ico[/img] [url=http://wiki.garrysmod.com/page/util/Base64Encode]util.Base64Encode[/url]? Would prevent most exploits from working...
Sorry, you need to Log In to post a reply to this thread.
