B3 is vulnerable to sql injection
isala404 opened this issue · 2 comments
I was just looking through the code and I notice b3 don't have any defence against mysql injections. So I end up testing it on my own cod4 server with b3. 1st I just inject simple SLEEP(5) function to !lookup cmd, Guess what query sleep for 5 seconds after executing, Then I tried making some one superadmin with sql injection it also worked without any issue. As !lookup cmd is only available to admins I tried using something lower for testing I tried !seen cmd, luckily it doesn't work as I expect. I registered the whole thing just as name (with the injected query) !xlrstats also safe but nick register plugin is vulnerable to sql injection. I think we should do fix this vulnerability before it cause seriously damage. Most of the people gives b3 root access for their MySQL database as Big Brother Bot is used in nearly 1400 servers this poses a serious threat to all of those.
Hi. As this project is not (sadly) actively maintained anymore, I don't think this issue will be fixed anytime soon. You could try to send a pull request with the changes to fix the problem and provide a detailed description of the issue if you feel the need this needs to be addressed asap.
ok I will do that