Time Nick Message 04:40 cornernote_ Just did a google search for grandfather clock, forgot the L... Noooo! 05:09 Brackston LOL So it came back with hits for Old roosters? 07:40 * wilkgr wonders whether to or not 07:41 wilkgr Perhaps not 10:15 JDCodeIt @Gundul - somebody mean attacked your Jungle server today 10:23 JDCodeIt @Gundul - it seems a normal user was able to join and locate all the players and place ignited TNT at their position 11:13 JDCodeIt Gundul: While someong was blowingme up with TNT I did get kicked with a message about "There is a F****G bug in world edit - fix it" or something of that nature. Hope that helps you find the culprit 11:16 wilkgr JDCodeIt, I'm pretty sure Gundul isn't online. :/ 11:16 red-002 someone didn't patch 11:16 JDCodeIt Yes, but he could read the log later I hope. Is this a known bug? 11:17 wilkgr aye 11:17 red-002 aye aye captin 11:17 red-002 there is a fix for it already 11:19 JDCodeIt red-002: is it in the server code or worldedit mod? 11:20 red-002 mod 11:20 red-002 plus looking at whats happening it looks like someone didn't enable mod security 11:20 Calinou the MinetestForFun Skyblock server got cracked as well, someone reported an issue 11:21 red-002 this might well be the worst security exploit in minetest history 11:22 JDCodeIt Hospitals, trains, and Minetest all in the same 24 hours? 11:28 JDCodeIt red-002: Uberi on Github shows last update a day ago with "Remove useless privilege checks" - was this fix just in the last couple of days? 11:28 Krock fixed in https://github.com/Uberi/Minetest-WorldEdit/commit/0ce45a5 11:32 JDCodeIt Krock: so arbitrary LUA could be run via the worldedit GUI? 11:32 Krock here's LUA: https://github.com/mniip/LUA 11:32 Krock no. but if you mean Lua, then yse. 11:32 Krock since the keywords differ 11:36 JDCodeIt Krock: Is anyone in the MT community trying to contact server owners? Seems this will be exploited further. 11:40 sfan5 don't think anyone is attempting that right now 11:40 Krock 27% of the announced servers most likely have the security leak 11:41 Krock meanwhile 51% have worldedit 11:48 Out`Of`Control does it effect if WE GUI is off? 11:49 Krock no 11:51 Out`Of`Control good 11:53 Out`Of`Control how many servers got hacked? 11:53 Out`Of`Control beside 2 11:53 Fixer hmmmmm, so it is real 11:54 Fixer i remember some said he had access to creative via worldedit gui or smth... this is real 11:54 Out`Of`Control :O 11:55 ThomasMonroe ? how is that possible 11:55 Fixer probably via "Run Lua" ? 11:55 DS-minetest the only secure bug i know about worldedit gui is that the lua feature could be used without server 11:56 DS-minetest but you would need we priv 11:56 Out`Of`Control + name = "Run Lua", privs = minetest.chatcommands["/clearobjects"].privs, 11:57 Out`Of`Control good i disable GUI part from day 1 11:58 Fixer someone should announce it on forum 11:58 red-002 I wonder what other common mods have exploits 11:58 red-002 I agree with Fixer 11:58 Fixer to update worldedit immidiately 11:59 Fixer but without giving details about how exploit works 11:59 shivajiva ^^ 11:59 red-002 Responsible disclosure much? 11:59 red-002 someone make a post on the news subforum 12:01 JDCodeIt the dope had written lua to list all players then place lit TNT at their position. But I guess it could be worse. 12:02 Fixer executed it via "run lua"? 12:02 JDCodeIt don't know. I was the recipient of being blown up. 12:03 red-002 I wonder what other mods have this exploit 12:03 red-002 xban had it till the end of last year 12:15 Krock List of mods used on servers: https://pastebin.com/raw/nkFXpin7 12:18 Fixer Krock: can you make a list of affected servers? need to check where i need to change my password 12:23 Out`Of`Control worldedit_gui 26% (17) 12:24 red-002 fun 12:24 Krock Fixer, https://pastebin.com/raw/4NXGQ4Ej 12:25 Krock where fresh started = uptime < 1 day 12:25 Fixer reason? 12:25 Krock but I can't say more precisely which servers can be affected 12:26 Krock all that aren't marked as (fresh started) are definitely attackable 12:26 davisonio mine was also affected - fixed now though and mod security enabled 12:26 Fixer davisonio: craigs server? 12:26 davisonio yes 12:27 davisonio It's down at the mo though (back in a couple hours) 12:29 DuCake I just was told my server was affected by a hack though I'm travelling so not much info.... all I can say is mod security was enabled at the time but was still affected.... deactivated WorldEdit, I'm hoping that would be sufficient to mitigate for now...? 12:30 davisonio if it's the world edit_gui hack you're talking about yes It's sufficient 12:30 davisonio get the latest version for the fix 12:31 DuCake k cheers 12:33 sfan5 mod security does not help here 12:33 Krock sure it does. prevents from accessing system relevant data 12:34 Krock unless the command does around that 12:35 red-002 mod security stops someone from controlling your whole system when this sort of exploit happens 12:37 red-002 I'm hearing reports of people wiping logs which I assume is a side effect of people not enabling mod security 12:39 JDCodeIt destruction in progress at MM-Survival - tnt blasts can be heard. Admin is not available. 12:40 Krock hmm.. how about //worldedit_gui_lua minetest.settings:set("secure.enable_security", "true") ? 12:40 Krock s/true/false/ 12:42 Krock nvm, blocked by engine 12:42 red-002 JDCodeIt, this might sound a bit black hat 12:42 red-002 but why not shutdown the server? 12:43 Fixer what exactly fixed that exploit? 12:43 Fixer "Do not allow any worldedit_gui commands without privs" this 12:43 red-002 is it moral to disable a system to stop it from being abused? 12:44 Krock Fixer, yes 12:44 JDCodeIt not my servers... I just try to notify the admins where possible. 12:44 Fixer Krock: when vulnerability was introduced? few days ago? 12:45 Krock dec 2013 12:45 Out`Of`Control old bug 12:45 Fixer kek 12:45 Krock alost a few days ago 12:45 Krock *almost 12:45 JDCodeIt The "fix" was yesterday, but it must have been in there a long time - the fix was probably the alert that the hackers caught on to 12:46 red-002 well the whole shuting down the server to stop it being expoited moral question is kinda pointless 12:46 Fixer Krock: give me full list of servers with worldedit_gui (not just fresh guys), pm me, do not expose it 12:46 red-002 the law is pretty clear about this 12:46 Krock Fixer, these are all 12:46 Fixer no way 12:46 Fixer very few? 12:46 Out`Of`Control 17 12:47 Krock notice that not all are marked with (fresh started) 12:47 Out`Of`Control 1/3 12:47 Fixer how about shutdowning exposed servers now? 12:47 Krock what if they have restart scripts? 12:50 red-002 Krock, some of them will not 12:54 red-002 JDCodeIt, any sign of the admin? 12:55 fwhcat our server has been hacked the same way this night (Mynetest) and another french one too (Axinite) 12:56 Fixer oh 12:56 Fixer i was gonna join it to warn admins 12:56 JDCodeIt fwhcat: was it a map destruction with tnt, or other type of takeover? 12:57 red-002 JDCodeIt, does the adim check backups? 12:57 red-002 if not then maybe the server should be shutdown 12:58 red-002 is anyone with the privs to shutdown the server online? 12:58 JDCodeIt red-002 - I don't know the admin personally. He mentioned that his map was 19 GB, so not sure how often that is backed up 12:58 celeron55 i'm pretty sure there are non-secured settings that allow disabling a server 12:58 Fixer is not you can shutdown via lua? 12:59 celeron55 like... setting an invalid bind_address 12:59 red-002 or runing shutdown? 13:00 celeron55 i mean, in case there's a restart script 13:01 red-002 kick every one on join even 13:02 Krock max_users = 0 13:02 red-002 ^ 13:02 Fixer and change MOTD 13:02 red-002 well no 13:02 red-002 people with server privs can bypass that krock 13:02 Fixer to update your worldedit now 13:02 red-002 which I assume the attackers have by now 13:04 MinetestBot 02[git] 04sfan5 -> 03minetest/master-server: Re-add banlist features 13705ea6e https://git.io/v976e (152017-05-14T13:03:05Z) 13:06 red-002 neat 13:06 Krock hmm.. "`inetest.chat_send_all("test")` or assert do not have any effect 13:06 Krock *`minetest. 13:06 red-002 ?? 13:07 red-002 oh you are working on exploiting the bug? 13:07 red-002 I was starting to work on that 13:07 Out`Of`Control you could run /clearobjectest would freez server for some hours 13:07 CWz i wonder how many victims has this bug claim 13:07 red-002 lol 13:07 Out`Of`Control noone could join anymore 13:07 Fixer i changed my passwords on some servers 13:08 red-002 Krock, should I contuine to work on it or are you going to do it? 13:08 Out`Of`Control Fixer: hacker can see password? 13:08 red-002 they could get a hash of it 13:08 Fixer Out`Of`Control: if security disabled, can read auth.txt i think 13:08 Out`Of`Control Fixer: uhm ok 13:08 Krock red-002, I'm trying to exploit it on servers, yes. but so far no success 13:08 red-002 safer to change it but it should be hard to crack that 13:09 red-002 ok then I will try and work on it my self 13:10 Krock Fixer, well.. local t = minetest.get_player_privs("you") t.server = true minetest.set_player_privs("you, t) 13:12 * red-002 is working on this 13:13 fwhcat JDCodeIt, sorry for being late, the hacker did change some scripts, as our server restarts automatically they were loaded, and people were kicked automatically when joined, our debug.txt has been deleted, we haven't found any map destruction for now. 13:14 red-002 I assume you had mod security disabled? 13:15 fwhcat I think it is not sure (let me check) 13:15 fwhcat disabled 13:15 Fixer kek 13:16 red-002 ^ 13:16 red-002 I mean thats a horrible idea 13:16 Fixer bad, he may changed some files 13:16 Fixer please audit your minetest files, scripts and OS itself for changes 13:16 fwhcat I told that already to the admin 13:18 JDCodeIt if these people are that good, they might even use "touch" to cover the time the file was modified. You need to check it all or recover from backup. 13:18 red-002 they could have gotten shell access or something nasty like that 13:19 fwhcat well, no our server runs through a unprivileged user, but I asked him as well to check on binaries like openssh etc. (we never know...) 13:29 JDCodeIt fwhcat: if you use ipban, and ipban.txt file was not deleted, you may be able to compare this to the last backup and see what new IP's came in today. 13:31 MinetestBot 02[git] 04sfan5 -> 03minetest/master-server: Allow banning by server hostname 13828a1fd https://git.io/v97i9 (152017-05-14T13:29:46Z) 13:33 red-002 are there any other servers that are being exploited? 13:36 celeron55 they could have already exploited every server and disabled the original exploit in all of them (and added their own) 13:36 celeron55 in theory 13:36 celeron55 i would guess they're not that good though 13:37 Fixer MM-survival has some explosions 13:39 red-002 alright I have recreated the exploit 13:46 Pixalou i 13:46 Pixalou hi 14:18 JDCodeIt Pixalou and Gundul: did you read back through today's IRC log? 14:20 Gundul no, not yet, Just logged in here a couple of minutes ago. 14:23 Gundul no I did. thanks 14:24 grey-001 Gundul, are you the admin of the server in question? 14:27 Pixalou JDCodeIt : sorry i was afk. Not read irc log today. 14:28 Gundul Yes I am running jungle server. Was me the first who was hit ? 14:29 grey-001 you want to shutdown your server if you haven't already 14:30 Gundul Thanks. I did that already at 12:15 pm :) running backups now and try to repair 14:30 CWz Gundul, VanessaE was effected first 14:30 CWz i think 14:30 VanessaE no I wasn't. 14:30 VanessaE a couple other guys had exploits before me 14:30 Gundul My server was hit between 11 and 12 UTC+1 14:31 VanessaE shut it down, remove worldedit_gui or update it, reboot the server. 14:31 CWz who where they 14:31 fwhcat today or yesterday Gundul? 14:31 VanessaE well and clean up whatever the blackhat fucked up. 14:31 Gundul today. fwhcat 14:32 fwhcat well our server was attacked at 0.30 am UTC+2 14:32 Gundul I am running a backup from 2 days ago. Saved the image file from this morning only for inspection 14:32 CWz fortunetly mine weren't attacked 14:32 VanessaE fwhcat, Gundul just remove worldedit_gui or update it to current HEAD, clean up any fucked up privs, boot the server, and clean up any griefing 14:33 CWz but i disabled new registrations until i hear a confirmed headshot 14:33 VanessaE and make sure no one has privs who shouldn't 14:33 fwhcat we did VanessaE but thanks. 14:33 rubenwardy how many servers are still running old worldedit_gui? 14:33 VanessaE rubenwardy: most. 14:33 Gundul already done, Thanks VanessaE 14:33 JDCodeIt fhwcat indicates the hackers modified scripts in the file system - one should check them carefully 14:33 VanessaE because the patch is only a day old. 14:33 CWz I think 70% 14:34 VanessaE JDCodeIt: that's possible only if mod security is disabled. 14:34 tm3 venessaE ?? only clearing worldedit_gui works or total worldedit atleast as a temporary soln. And wha are those privs no one should have?? 14:34 VanessaE tm3: just worldedit_gui 14:34 VanessaE privs = everything 14:35 VanessaE on my server, the attacker granted himself ALL. as in `/grantme all` 14:35 tm3 oh you mean privs priv? 14:35 VanessaE so I literally mean, everything 14:35 tm3 oh i got it :) thanks :) 14:35 DS-minetest btw how could worldedit priv be gotten? 14:35 CWz glad i quit selfhosting 14:36 tm3 oh no one have privs in our server though not even i even i am a supervisor ;P admin has it though. 14:36 Gundul you got their ip VanessaE ? my logfiles habe been deleted. 14:36 Gundul *have 14:36 VanessaE now, on my server it should be impossible for a blackhat to compromise my mod files because you can't write to a mod's directory since I have mod security enabled, and all critical files are stored on my home PC and synced to the server when I need to update something 14:36 VanessaE [05-13 01:42] ["REAPERMAN"] = true, 14:36 VanessaE [05-13 01:42] ["::ffff:87.184.19.200"] = true, 14:36 VanessaE [05-13 01:42] ... 14:36 VanessaE [05-13 01:42] ["::ffff:93.205.60.210"] = true, 14:36 VanessaE [05-13 01:42] ["REAPER"] = true, 14:37 * VanessaE waits for ShadowBot to kick :P 14:37 tm3 oh 14:37 Fixer VanessaE: you have we_gui ? 14:37 VanessaE Fixer: I used to. that's how the attacker got in. I removed it. 14:37 * CWz activates his trap card to prevent ShadowBot from kicking 14:37 tm3 is it the ip of that hacker? i guess it's just a stupid noob trying to hide is ass behind a hacked client he downloaded. No f88king blackhat has time for this s88t 14:38 Fixer VanessaE: when you removed it btw? I already changede my password on your servers 14:38 VanessaE Fixer: I removed it after the second attack (I didn't know worldedit_gui was the cause, the first time), so a day after. 14:38 JDCodeIt Bonn, Germany 14:39 CWz i wonder if deezl's server were effected 14:41 Gundul tm3 what you said was the name of the guy in jungle ? 14:42 tm3 which one? 14:42 tm3 i mean when?? 14:43 Gundul this morning, you told me a few minutes ago 14:43 tm3 oh you had argument with? i asked about him? Oh he is a noob in coding bro. let alone hacking 14:43 tm3 few mins. ago?? 14:43 JDCodeIt there was that argument with ektod 14:43 Gundul ok, maybe I misunderstood you 14:43 tm3 Aule is a noob you banned he is total noob 14:44 tm3 i know 14:44 Gundul ektod was from venezuela 14:44 JDCodeIt he didn't want to replant trees 14:46 IhrFussel Regarding the WE exploit: My last version was from over a year ago, so my server was most likely never affected by it? (I updated a few hours ago though to be safe) 14:47 JDCodeIt IP belongs to Deutsche Telekom Ag, D-90492 Nuernberg, Germany 14:47 Fixer lol 14:47 Fixer IhrFussel: it is affected 14:48 Fixer IhrFussel: _update now_ 14:48 Fixer IhrFussel: also check if it was not compromised (silently) 14:48 IhrFussel Fixer, so the exploit existed for a YEAR and more? 14:48 Fixer IhrFussel: possibly since ages 14:48 grey-001 since 2013 iirc 14:49 IhrFussel I already updated and restarted 20 minutes ago...but how would I check if my system was modified? 14:50 JDCodeIt did you have mod security disabled? 14:50 IhrFussel I had to disable it, too many mods complained about it 14:51 JDCodeIt then you must go through your scripts and OS files to see if any were changed 14:51 Fixer probably since 12 Dec 2013 14:52 Fixer IhrFussel: check your mod folders, check logs, etc 14:52 Fixer IhrFussel: check new privilages 14:52 IhrFussel Nothing can touch the system files..I'm not stupid I run minetestserver not under root 14:52 tm3 rubywarden :P i didn't know ;) 14:53 JDCodeIt OK, check what could have been changed under the non-privielged user 14:53 tm3 linus?? 14:53 fwhcat torvalds ? 14:53 paly2 Hey :) 14:53 tm3 no linushsao. admin of mars server :0 14:53 tm3 :) 14:54 tm3 i am a supervisor there ;) 14:54 fwhcat Oh I remember you sorry :) 14:54 tm3 hey hi :) you didn't come. Don't remember your home is there or not :P may be it's there ;) 14:55 linushsao hi,i'm here 14:55 fwhcat I haven't been here for 3 months but i'm back 14:55 Fixer critical vulnerability in worldedit_gui 14:55 tm3 lol ;P 14:55 Fixer please update now, and check if your server was compromised 14:55 tm3 linus read msg i sent in irc :) 14:55 tm3 in our channel 14:55 Fixer check any file/playerpriv changes etc 14:56 linushsao torvalds..no, my "linus" is about the comic "the peanut". 14:56 tm3 every player's privs?? uh 14:56 fwhcat Fixer: the problem is: the hacker did even delete the logs (at least on our server) he wasn't stupid enough to give himself privs. 14:57 Fixer tm3: not every, but with nonstandard privs 14:57 Fixer fwhcat: thats better, better inspect everything, and recheck everything includins OS 14:58 linushsao delete system log? 14:58 tm3 ok thanks :) i am a nonstandard one ;P i have to check mine and another mod. :) 14:58 Fixer "thats better = thats worse" * 14:58 linushsao throught sshd-server? or that server has ssd service? 14:58 tm3 yes linus jungle's log were deleted 14:59 tm3 Gundul wasn't able to find the log even. :'( 14:59 linushsao it means hacker hack into server,not only minetestserver. 14:59 tm3 spawn, meselab in jungle completely destroyed ;P 14:59 Fixer better recheck everything, make sure there are no backdoors on server 14:59 Fixer if mod security was off, even worse 15:00 linushsao it's almost the standard process of hacker to delete log, even log-backup couldnt help . 15:00 tm3 may be but i don't think so a hacker has time for hacking a foss game like this. I guess it's just a dumbass trying to save his ass behind a powerful hacked client made by a hacker :) 15:00 fwhcat no no debug.txt log only, some mods were changed etc. 15:00 fwhcat if he could change syslogs that would mean he had root access xD 15:00 paly2 Indeed mod security was disabled on our server. I guess that's how the hacker made debug.txt a symlink to /dev/null. Now we've adapted our mods and enabled it (too late, as usual...) 15:00 tm3 just give me the ip of that MF, i will teach him what real hacking is xD 15:00 fwhcat so yeah in that case, you better reinstall the whole system. 15:00 Fixer if you run from root - yes 15:01 Fixer running anything from root is very bad idea 15:01 linushsao yes,fwhcat. 15:01 paly2 We don't :) 15:01 rubenwardy > running Minetest as null 15:01 rubenwardy *root 15:01 rubenwardy :O 15:01 fwhcat who would do that? xD 15:01 tm3 :P 15:01 grey-001 people 15:01 Krock windows users. 15:02 grey-001 said by a windows user 15:02 tm3 yes :) s88t happens. we learn like that :) 15:02 Fixer proper windows user runs from nonroot 15:02 Krock on top of that: said by a windows user that runs all software in administrator mode 15:02 tm3 lol :P 15:02 Krock try to beat that 15:03 Krock good luck :P 15:03 linushsao no running on root,of course. 15:04 Krock <.< I meant like "try running the stuff more insecure than me" 15:05 fwhcat I can, just for fun Run an old XP and surf the web 15:05 fwhcat but.... in a VM :D 15:07 tm3 :D 15:09 linushsao mars server on debian... 15:09 linushsao if on windows,maybe run on root...@@a 15:10 linushsao (i remember it's account "administrator". 15:10 rubenwardy anyone have any experience in auditing a server to check if it's been compromised? If so, please post here (links to good resources are fine: https://forum.minetest.net/viewtopic.php?f=6&t=17601&p=269578#p269578 15:14 Krock rubenwardy, as you most likely already have seen: https://pastebin.com/raw/4NXGQ4Ej - list of the currently announced servers using worledit_gui 15:15 Krock filtering those better would require to join the server and run a test 15:15 rubenwardy I don't think it's best to publish that 15:15 Krock surely it isn't. 15:16 Krock that would only help black hat people to cause more damage 15:18 IhrFussel Here is a useful command to check which files have been last modified on a Linux system (recursively) find [ENTERPATH] -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | head -n 500 | less 15:20 rubenwardy fancy posting that in the topic? 15:20 rubenwardy along with a disclaimer that the signatures can be modified 15:21 tm3 as per ip provided by venessa, that dumbass's ip from weiden and bonn, germany both ip are registered in deutsche telekom broadband. 15:21 * VanessaE growls at tm3 15:21 tm3 ?? sorry if i did something :) 15:21 VanessaE why does everyone insist on misspelling my fscking name... 15:21 tm3 oh ... 15:22 tm3 VanessaE :) 15:22 tm3 now :) 15:22 VanessaE :) 15:22 Fixer lol 15:22 Fixer venessa 15:23 tm3 lol there goes fixer :P 15:24 tm3 red was at red-001 first. now at 005. soon he will reach 007 :) 15:24 DS-minetest lol 15:24 red-005 lol 15:25 Krock tm3, assuming a linear increase would mean he'll pass 007 and goes over to 009 15:25 DS-minetest your name will be red, james red 15:27 IhrFussel rubenwardy, done 15:27 tm3 lol :P yes james red 009... tatatataannn...taon taon ... 15:27 rubenwardy thanks 15:37 IhrFussel I think one GOOD thing is that the exploiters likely don't know the actual WORLD names and therefore cannot delete world files 15:38 IhrFussel Or can they just use "*" ? Not sure 15:39 DS-minetest i think, they can get the world path 15:39 paly2 They can list the world directory content 15:39 rubenwardy if the lua code can return input, they could just do "io.popen('ls')" 15:41 IhrFussel Wait...the GUI allows you to input Lua and RETURNS output as well? I thought the output would just be something like "successful" or "failed" 15:41 paly2 You can use minetest.chat_send_player 15:43 IhrFussel True...well it seems like they avoided my server...log files exist, no new high privs in auth.txt ... the last modified files on my machine are the ones I edited manually 15:45 paly2 Does someone have new privs in auth.txt ? 0.o 15:45 IhrFussel But since the exploit existed for YEARS likely, there is absolutely no reliable way to tell whether or not somebody changed something in that timeframe I guess 15:47 rubenwardy it's quite interesting 15:47 Krock but the leak was undiscovered for years. now that there's so much hurry about the recent >>fix<<, only caused all this trouble 15:49 rubenwardy well, most exploited vulnerabilities are not 0 days, but recently patched things 15:49 rubenwardy attackers watch update channels 15:49 rubenwardy although in this case it was a 0 day 15:50 rubenwardy [citation needed] 15:54 IhrFussel I just found "find -cmin -N" it lists all files that were last modified within the recent N minutes..very useful 15:54 jubalh hi 15:54 jubalh does minetest have enemies yet? 15:54 jubalh or just neutral figures? 15:55 rubenwardy well, there's terasology 15:55 rubenwardy but that's more of a competitor than an enemy 16:00 Krock minecraft, our worse enemy! 16:00 Krock *worst 16:00 Krock 16:28 Raven262 Minecraft is not your enemy, it never showed to have anything against minetest. 16:55 DS-minetest does it make sense to get the camera in csm like this: local camera 16:55 DS-minetest minetest.register_on_connect(function() 16:55 DS-minetest minetest.after(0, function() 16:55 DS-minetest camera = minetest.camera 16:55 DS-minetest end) 16:55 DS-minetest end) 16:55 DS-minetest ? 16:55 paly2 Same for minetest.localplayer :/ 16:56 DS-minetest not exactly same 16:56 DS-minetest localplayer doesn't need that extra after 16:56 red-005 why the after? 16:56 Krock the camera is not guaranteed to be initialized when the scripts are run 16:57 DS-minetest camera seems like if it's not there when player starts beeing there 16:57 DS-minetest hm, i could also very often use the reference 17:00 mega-giga How many server are hack ? ?? 17:02 VanessaE mega-giga: anyone whose server has a copy of worldedit_gui that's more than a day or two old is vulnerable. 17:02 VanessaE how many were compromised is not known as yet, but I know two of mine were, and a few others. 17:03 mega-giga Mynet est 17:03 mega-giga Mynetest* 17:03 mega-giga Acidité 17:03 mega-giga Axinite* 17:04 paly2 (french autocorrect?) 17:04 mega-giga T'es 17:04 mega-giga Yes* 17:04 mega-giga Mdrr 17:05 Fixer kek 17:31 IhrFussel Are we 100% that mesecons doesn't have such an exploit? AFAIK there are elements that allow Lua code as well 17:32 IhrFussel 100% sure* 17:32 nore IhrFussel: yes, but in a protected environment 17:32 paly2 AFAIK the LuaController executes code in a highly restricted environment 17:32 nore and I tried more than once to attack it 17:33 nore personally I consider it sage 17:33 nore *safe 17:33 paly2 MoreMesecons has a LuaBlock that allows to execute code in the global namespace, but it cannot even be placed without the server privilege 17:33 kaeza the issue has nothing to do with running Lua code. it was not setting the correct privs 17:34 kaeza or so I see anyway 17:35 IhrFussel kaeza, it didn't check for ANY privs if I see that correctly 17:37 IhrFussel And mesecons doesn't require any (high) privs either right? So I wondered if the exploit could exist there too 17:38 IhrFussel But if it's safe then good 18:37 Out`Of`Control hi 19:08 Yst Does anyone know how to generate a formspec that matches unified_inventory? Specifically, I need to set the player's formspec to something that isn't one of the registered unified_inventory pages, but I want to keep the feel the same and provide the buttons for reaching actual unified_inventory pages. 19:09 Yst I guess it'd be the unified_inventory equivalent of sfinv.make_formspec(). Would someone know what function that'd be? 19:49 IhrFussel "local name=inv:get_stack("give" .. n,1):get_name()" will this return a string like "default:sand" ? 19:51 IhrFussel I'm trying to disallow certain nodes in the smartshop mod, but the code looks EXTREMELY complicated and I need to know if that's the var I need to check 19:51 rubenwardy yes 19:51 rubenwardy not sure what it returns if the stack is empty though 19:52 IhrFussel rubenwardy, I think the code already makes sure it's not nil..those are the lines before it: local inv = meta:get_inventory() if meta ~= nil then 19:54 calculon you could still have empty stacks in a non-nil inventory 19:54 rubenwardy ^ 19:55 calculon and why meta ~= nil ? is this a typo ? 19:57 IhrFussel I'll give you a pastebin in a sec 20:02 IhrFussel https://pastebin.com/ieb2wLgF 20:05 calculon so i think yes, you should take care of empty stacks 20:05 calculon iirc get_name() returns an empty string in that case, but i'm not sure 20:06 kaeza >string.find(name,"ingot") 20:06 IhrFussel Oops I just noticed I forgot to add the player name in chat_send_player xP 20:07 kaeza great, now I can't buy a bingo table or something 20:08 rubenwardy IhrFussel, it's pointless to check a table after you call a function in it 20:08 IhrFussel kaeza, well I could add an underscore at the beginning and hope that the mods name their ingots properly "[material]_ingot" 20:08 rubenwardy it: meta ~= nil 20:10 IhrFussel rubenwardy, so I can remove that part of the condition? 20:10 rubenwardy yeah 20:11 rubenwardy or check before then 20:11 rubenwardy it's pointless as the server would have already crashed 20:12 calculon and i guess get_meta always return a value anyway 20:12 calculon ho, maybe not if not if the node is not loaded 20:14 IhrFussel calculon, the mod crashed a few times already with "meta nil" 20:15 rubenwardy you need to check before you use it 20:15 calculon ok 20:26 Hijiri static typing would have prevented the exploit 20:26 Hijiri we should have all used haskell for minetest 20:26 rubenwardy not really 20:26 rubenwardy you could have still done the exploit with a statically typed language 20:27 rubenwardy as long as you had the ability to run code from user input 20:27 Hijiri there was a check, "not admin == name" aka "(not admin) == name" to see if the lua runner was the admin 20:27 Hijiri that would have been a type error since admin is not a bool 20:28 Hijiri unless you are using C or something 20:28 rubenwardy ah, I see 20:28 Hijiri It wouldn't prevent all exploits of this class though, true 20:29 Hijiri except maybe by being hard enough to interpret at runtime that nobody bothered to make a mod that runs user lua 20:29 Hijiri or user haskell 20:30 kaeza that's why I have the habit of always using parentheses when using the `not` operator ;) 20:30 rubenwardy Haskell is an awful choice for game modding though 20:32 Hijiri probably also true 20:37 Hijiri rubenwardy: actually my mistake, the check was "not admin ~= name" to return early 21:07 Calinou heh 21:07 Calinou https://forum.minetest.net/viewtopic.php?f=53&t=17046 21:07 Calinou someone made an X-Ray cheat with CSM 21:07 Calinou that was a while ago, but I'm just starting to browse the CSM section now 21:09 PureTryOut[m] ooh no 😞 I guess that's the downside of having CSM 21:10 KaadmY Calinou: TIL the item_image formspec element can handle an item count 21:10 KaadmY I've been doing it manually 21:10 KaadmY So the item cound thing is fixed 21:10 KaadmY count* 21:10 KaadmY Groups are still wonky, I can fix easily though 21:10 Calinou tons of cheats can be made with CSM, yeah 21:14 PureTryOut[m] there needs to be a way to protect servers from those... 21:14 rubenwardy the fix is to not allow get_node if there's no air nearby 21:15 rubenwardy ie: neighbour 21:15 rubenwardy and to check LOS or less than 20 21:15 rubenwardy the problem is that these restrictions make an ambience mod a lot less efficient 21:17 PureTryOut[m] couldn't an Ambiance mod be made entirely server-side? I thought mods could play sounds per player 21:18 Calinou hmm, trying out CSM, pretty nice 21:18 Calinou I need to make some mods again :) 21:18 Calinou eg. a wallclock on HUD 21:18 Calinou PureTryOut[m]: they can but it causes lag 21:19 Calinou also, aesthetic things like these are better left to the client 21:19 Calinou so the user can easily disable it, etc 21:20 PureTryOut[m] I guess 21:20 PureTryOut[m] still, I don't like X-ray mods lol 21:20 Hijiri what if you use a hybrid approach 21:21 Hijiri like when requested, the server will calculate the ambience stuff for some area, and send taht to the client 21:21 Hijiri and it will cache that, and so will the client 21:21 Hijiri or maybe only the client caches it 21:21 Hijiri I guess that doesn't work for swimming in water and that kind of thing though 21:22 Hijiri But maybe some effects could be purely client modding, while others are a hybrid like I described 21:22 rubenwardy it's funny how people have been wanting CSM for years, but now it's been introduced everyone's against it 21:22 Hijiri I'm sort of against client-provided client mods 21:22 rubenwardy well, same 21:22 PureTryOut[m] I'd love a way for mods to send certain commands/functions to the client to do 21:22 Hijiri The kind of CSM I've wanted is code sent from the server 21:22 PureTryOut[m] same ^ 21:23 PureTryOut[m] never asked for CSM like it is now 21:23 PureTryOut[m] I just want my mod to be able to listen to keypresses 😞 21:23 Hijiri listening to keypresses would be against what the direction of game controls has been though 21:23 Hijiri because of Android stuff 21:24 rubenwardy registering events though 21:24 rubenwardy but that could be done with a server API 21:24 Hijiri I think the spells idea nerzhul has been mentioning would provide extra controls 21:25 Hijiri anyway I have to go 21:26 PureTryOut[m] Hijiri: tbh I don't give a damn about Android 21:26 PureTryOut[m] I don't want to be limited on PC because of mobile support... 21:27 PureTryOut[m] and even then, you can probably let the mods make some extra button for touchscreens or whatever 21:41 Yst I never wanted client-side scripting either. Now that it's here though, I'll probably check it out. After I finish a server-side mod I've been wanting for a couple months though. 22:24 KaadmY When can we get a fog distance multiplier? 22:25 KaadmY So rain becomes foggier 23:18 Fixer KaadmY: is not this already possible? 23:18 KaadmY I dont think so 23:18 KaadmY The API has no mention of fog 23:19 KaadmY And to clarify: I mean as a mod, not client setting 23:19 Fixer rubenwardy: but but you can locate nyan cat now with ore detect!!111 Oh ... nyan was removed... and dog too... 23:19 KaadmY Was Nyan removed? :/ 23:19 Fixer KaadmY: i have some impression that some weather mods already do this, i may be wrong 23:19 Fixer KaadmY: yep 23:19 KaadmY Awww 23:20 Fixer KaadmY: because of trademark issues 23:20 Fixer iirc 23:20 KaadmY Darn 23:20 Fixer KaadmY: you can still use it as a mod 23:20 KaadmY Why not have a cyan cat 23:20 Fixer LOL 23:20 KaadmY Just a cyan cat :D 23:20 KaadmY Also I'm looking at the 0.4.16 API 23:20 KaadmY It looks like there's TONS of changes from 0.4.15 23:20 KaadmY And I really want to get my hands on them :D 23:21 Fixer KaadmY: release is pretty soon btw 23:21 KaadmY Yeah 23:21 KaadmY June or something? 23:21 KaadmY Feature freeze is May 21 23:21 KaadmY So mid-June/early July? 23:21 Fixer don't remember, but soon 23:22 Fixer afk 23:25 frostsnow Why is there no 50% probability rule in the L-system? 23:31 wilkgr 2017-05-15 09:30:43: ERROR[Main]: Access denied. Reason: You are using an unofficial client. Use the official client from minetest.org 23:31 KaadmY Hm? 23:31 rubenwardy which server? 23:32 wilkgr Captain's Corner (it's a minetesthosting one) 23:32 KaadmY How does the server tell if its an unofficial client? 23:32 rubenwardy sfan5 ^ 23:32 rubenwardy it's not an unofficial client 23:32 rubenwardy oldcoder is trying to take over the project 23:33 rubenwardy so he's put that notice in his version to try and get people to use his 23:33 rubenwardy notice .org 23:33 KaadmY Oh 23:33 rubenwardy which is OldCoder's domain 23:33 wilkgr Indeed, that's why I was so confused 23:33 red-005 does anyother server need to be added to the ban list? 23:34 KaadmY minetest.org seems to be down anyway 23:34 rubenwardy not for me 23:34 KaadmY Huh, DNS problem 23:34 red-005 I think I had that issue too 23:35 rubenwardy would be good to make a bot which auto-bans servers from the server list that display that message