Active+ Member Abel(Tiger) 1193 Posted January 20 Active+ Member Share Posted January 20 (edited) Hello, As the title says, there is a significant exploit in the chat link system. Given that many servers utilize this system, I believe most private servers are affected by this exploit. Essentially, someone can execute any CMD command they want on a player's computer by instructing them to click on an item. How does it work? This is the hidden content, please Sign In or Sign Up He sends this through whisper or public chat, and the player clicks on the item. The command opens notepad.exe. How can you fix it? Firstly, STOP using os.system to open links. There are special libraries for that, such as the one I will use to implement this fix. Please note that this is a straightforward fix and may not be 100% foolproof because malicious links can still be sent to open in the browser. I recommend using a link validation technique on the server side and allowing only specific links. This is the hidden content, please Sign In or Sign Up Edited January 24 by Abel(Tiger) add hide tag 148 3 30 1 1 56 Link to comment Share on other sites More sharing options...
Premium WeedHex 635 Posted January 20 Premium Share Posted January 20 (edited) Better to create also a list of allowed link roots inside the game. Edited February 11 by WeedHex 1 Link to comment Share on other sites More sharing options...
Developer Deliris 404 Posted January 20 Developer Share Posted January 20 This issue has been fixed back in 2022, check the following link: 2 1 r Link to comment Share on other sites More sharing options...
Active Member Kidro 141 Posted January 22 Active Member Share Posted January 22 (edited) Hey, if you receive error '0122 23:42:20675 :: Invalid url start https://www.youtube.com/watch?v=fy-cEY1JBao^&t=1118s' replace the whole function with: def MakeHyperlinkTooltip(self, hyperlink): tokens = hyperlink.split(":") if tokens and len(tokens): type = tokens[0] if "item" == type: self.hyperlinkItemTooltip.SetHyperlinkItem(tokens) elif "msg" == type and str(tokens[1]) != player.GetMainCharacterName(): self.OpenWhisperDialog(str(tokens[1])) elif "web" == type and (tokens[1].startswith("httpXxX") or tokens[1].startswith("httpsXxX")): link = tokens[1].replace("XxX", "://") OpenLinkQuestionDialog = uiCommon.QuestionDialog2() OpenLinkQuestionDialog.SetText1(localeInfo.CHAT_OPEN_LINK_DANGER) OpenLinkQuestionDialog.SetText2(localeInfo.CHAT_OPEN_LINK) OpenLinkQuestionDialog.SetAcceptEvent(lambda arg=TRUE: self.AnswerOpenLink(arg)) OpenLinkQuestionDialog.SetCancelEvent(lambda arg=FALSE: self.AnswerOpenLink(arg)) constInfo.link = link OpenLinkQuestionDialog.Open() self.OpenLinkQuestionDialog = OpenLinkQuestionDialog elif "sysweb" == type: open_url_in_browser(tokens[1].replace("XxX", "://")) elif "Kidro" == type or "msg" == type and str(tokens[1]) != player.GetMainCharacterName(): self.OpenWhisperDialog(str(tokens[1])) The problem is from: constInfo.link = "start " + tokens[1].replace("XxX", "://").replace("&","^&") Here's what seems to be happening: The URL is being prefixed with "start ", which is not part of a valid URL. The ampersand (&) is being replaced with ^&, which is also not standard in URLs and likely causing the issue. Edited January 22 by Kidro Link to comment Share on other sites More sharing options...
Recommended Posts