Raised This Month: $ Target: $400
 0% 

WebCompliter AmxModX


Post New Thread Reply   
 
Thread Tools Display Modes
Black Rose
Veteran Member
Join Date: Feb 2011
Location: Stockholm, Sweden
Old 10-23-2013 , 14:19   Re: WebCompliter AmxModX
Reply With Quote #11

Quote:
Originally Posted by BAILOPAN View Post
I don't recommend running the webcompiler in any way unless you've jailed it server-side. It's not secure.

A more modern solution is to run something like SPIDER: http://spider.limetech.org/ which is entirely client-side.
Are you saying you could send malicious code as input source to make the compiler do horrible things or that the PHP script is the failing link?

SPIDER is not very user friendly with support for 3 browsers. I understand that the problem is the support from the browser, not for but in the end user is the one suffering. I love my Opera.
__________________

Last edited by Black Rose; 10-23-2013 at 14:22.
Black Rose is offline
asherkin
SourceMod Developer
Join Date: Aug 2009
Location: OnGameFrame()
Old 10-23-2013 , 14:44   Re: WebCompliter AmxModX
Reply With Quote #12

Quote:
Originally Posted by Black Rose View Post
I love my Opera.
It appears to work fine in the current version of Opera (which is unsurprising considering it's basically Chrome).
__________________
asherkin is offline
Black Rose
Veteran Member
Join Date: Feb 2011
Location: Stockholm, Sweden
Old 10-23-2013 , 15:43   Re: WebCompliter AmxModX
Reply With Quote #13

Quote:
Originally Posted by asherkin View Post
It appears to work fine in the current version of Opera (which is unsurprising considering it's basically Chrome).
I'm not using the latest Opera. It's useless. Still using 12.16. When loading the site I was presented with this:
Code:
SPIDER is dependent on some fairly recent browser features, if you're not using the latest (and I really mean the latest) version of Chrome, Firefox, or Internet Explorer it'll likely be horribly broken.
Opera was not mentioned, therefor my reaction.
__________________

Last edited by Black Rose; 10-23-2013 at 15:44.
Black Rose is offline
BAILOPAN
Join Date: Jan 2004
Old 10-23-2013 , 20:37   Re: WebCompliter AmxModX
Reply With Quote #14

Quote:
Originally Posted by Black Rose View Post
Are you saying you could send malicious code as input source to make the compiler do horrible things or that the PHP script is the failing link?

SPIDER is not very user friendly with support for 3 browsers. I understand that the problem is the support from the browser, not for but in the end user is the one suffering. I love my Opera.
The former; the compiler is very sketchy C code that is basically entirely unaudited, and you're essentially invoking it with arbitrary input strings of arbitrary length from the user. It's definitely an unknown risk.

Unfortunately, the Presto-based Opera clients will quickly become obsolete in general as they don't support newer web technologies and that gap will only widen. So that might be a tough card to hang on to.
__________________
egg
BAILOPAN is offline
BAILOPAN
Join Date: Jan 2004
Old 10-23-2013 , 20:40   Re: WebCompliter AmxModX
Reply With Quote #15

Btw, the reason SPIDER is safe is because it compiled spcomp from C++ to JavaScript, which is inherently sandboxed. You could do that server-side too, and invoke the compiler through node.js or SpiderMonkey or something. Then the attack surface is much smaller. There's a lot of ways to approach this, chroot jail of some kind would work too.

I just don't want to put people at risk
__________________
egg

Last edited by BAILOPAN; 10-23-2013 at 20:41.
BAILOPAN is offline
YamiKaitou
Has a lovely bunch of coconuts
Join Date: Apr 2006
Location: Texas
Old 10-24-2013 , 00:49   Re: WebCompliter AmxModX
Reply With Quote #16

It would be nice if SPIDER supported AMXX as well
__________________
ProjectYami Laboratories

I do not browse the forums regularly anymore. If you need me for anything (asking questions or anything else), then PM me (be descriptive in your PM, message containing only a link to a thread will be ignored).
YamiKaitou is offline
Neeeeeeeeeel.-
Some Guy Yellin'
Join Date: Jul 2010
Location: Argentina
Old 10-24-2013 , 20:27   Re: WebCompliter AmxModX
Reply With Quote #17

Quote:
Originally Posted by BAILOPAN View Post
I don't recommend running the webcompiler in any way unless you've jailed it server-side. It's not secure.

A more modern solution is to run something like SPIDER: http://spider.limetech.org/ which is entirely client-side.
This is how i did "my" attachment auto compiler & web compiler:p it's safer
PHP Code:
<?
define
("IN_MYBB"1);
define("IN_PORTAL"1);
define('THIS_SCRIPT''portal.php');
require_once 
"global.php";
$id intval($_GET['id']);
$pid intval($_GET['pid']);
$aid intval($_GET['aid']);

if (isset(
$_GET['aid'])){
    
$query $db->simple_select("attachments""*""aid='{$aid}'");
    
$attachment $db->fetch_array($query);
    
$name $attachment['filename'];
    
$name substr($name0sizeof($name)-4);
    
$plug file_get_contents($mybb->settings['uploadspath']."/".$attachment['attachname']);
    
$postdata http_build_query(
        array(
            
'fname' => $name,
            
'scode' => $plug,
            
'go' => 'send'
        
)
    );
    
$opts = array('http' =>
        array(
            
'method'  => 'POST',
            
'header'  => 'Content-type: application/x-www-form-urlencoded',
            
'content' => $postdata
        
)
    );
    
$context  stream_context_create($opts);
    
$result file_get_contents('http://www.amxmodx.org/webcompiler.cgi'false$context);
    
$succed preg_match("/Your plugin successfully compiled/"$result);
    
$name preg_replace("/[^ \w]+/"""$name);
    
$data = Array("name"=>$name"uploader"=>"0""success"=>$succed);
    
$localID $db->insert_query("plugins"$data);
    if (
$succed){
        
preg_match("/go=dl&id=(.*?)'>/",$result,$matches);
        
$remoteID $matches[1];
        
$attachupdate = array(
            
"downloads" => $attachment['downloads']+1,
        );
        
$db->update_query("attachments"$attachupdate"aid='{$attachment['aid']}'");
    } else {
        echo 
"<script>alert('Error de compilacion.');</script>";
        exit();
    }
    
$url  'http://www.amxmodx.org/webcompiler.cgi?go=dl&id='.$remoteID;
    
$ch curl_init($url);
    
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
    
$data curl_exec($ch);
    
curl_close($ch);
    
$path "plugins/".$localID.".amxx";
    
$size file_put_contents($path$data);
    
header('Content-Description: File Transfer');
    
header('Content-Type: application/octet-stream');
    
header("Content-Disposition: attachment; filename=\"$name.amxx\"");
    
header('Content-Transfer-Encoding: binary');
    
header('Connection: Keep-Alive');
    
header('Expires: 0');
    
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    
header('Pragma: public');
    
header('Content-Length: ' $size);
    echo 
file_get_contents($path);
} else {
    
$query $db->simple_select("plugins""name""id='".$pid."'");
    
$name $db->fetch_field($query"name");
    
$path "plugins/".$pid.".amxx";
    if (isset(
$_GET['id'])){
        
$url  'http://www.amxmodx.org/webcompiler.cgi?go=dl&id='.$id;
        
$ch curl_init($url);
        
curl_setopt($chCURLOPT_RETURNTRANSFERtrue);
        
$data curl_exec($ch);
        
curl_close($ch);
        if (
preg_match("/Welcome to the AMX Mod X Web Compiler/"$data)){
            
$size filesize($path);
        } else {
            
$size file_put_contents($path$data);
        }
    } else {
        
$size filesize($path);
    }
    if (!
file_exists($path)){
        
header("Location: ".$mybb->settings['bburl']."/".THIS_SCRIPT."?p=compilador");
    } else {
        
header('Content-Description: File Transfer');
        
header('Content-Type: application/octet-stream');
        
header("Content-Disposition: attachment; filename=\"$name.amxx\"");
        
header('Content-Transfer-Encoding: binary');
        
header('Connection: Keep-Alive');
        
header('Expires: 0');
        
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
        
header('Pragma: public');
        
header('Content-Length: ' $size);
        echo 
file_get_contents($path);
    }
}
?>
__________________
Neeeeeeeeeel.- is offline
Send a message via Skype™ to Neeeeeeeeeel.-
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 00:58.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode