Semi Malicious Bug

With the use of APIs, it is possible to obtain a user’s following date, with additional stuff to add to it, you can make nightbot say something that is completely irrelevant to the command being used.

For example, normally: !followage test would say something like Test has been following Streamer for 4 months, 9 days, 3 hours, 10 seconds. But with the ?format tag, it’s possible to add additional text to it. For example: !followage test?format=\t\h\e%20\d\a\w\n%20\o\f%20\t\h\e%20\U\n\i\v\e\r\s\e& would turn to be: Test has been following Streamer since the dawn of the Universe. Adding notext& to the end of what I said above turns the response into: the dawn of the Universe

This seems malicious as it can generate any text (unsure if ascii works)
This works with /me but any other command displays a fail safe; Server commands other than /me are blocked. '

It doesn’t seem this can be used maliciously to use any command such as banning random people, but it could be used to bypass a channel’s moderation filters, which seems pretty bad

Hiya, I was interested in this topic since it’s using my follow length check API. However I’m not really sure how this is malicious. Yes, by setting the format url parameter as variable for viewers to enter you can get all the text output you want.
It’s basicly the same as !commands add !test $(query).

The format parameter should be set by the mod/owner who sets up the command and not the viewer.
I mean I can strip the backslashes, however why would I not allow a format like this:

<?php
// prints something like: Wednesday the 15th
echo date(‘l \t\h\e jS’);
?>

If I am missing something, please let me know.

Ah nevermind, looking at the screenshot again I see what you mean. Fixed now, thanks for letting me know.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.