Impact
Users of OnlineAnnounceV2 may be the victim of an SQL injection attack. Users with the oa.mod permission who run setgreet maybe able to inject arbitrary SQL commands into the greeting resulting in catastrophic data destruction or tampering.
Patches
A patched version from @Quinci135 can be compiled. The patched version uses safe parameter passing / "prepared statements" to avoid the SQL injection flaw. The most recent commit includes a version update. This plugin was not submitted to Pryaxis for review and has not been verified, so use of OnlineAnnounce's fork is "at your own risk" until it's submitted for analysis.
Workarounds
Remove the OnlineAnnounceV2 plugin and update to the latest version of TShock, which will refuse to load the vulnerable plugin.
Quinci135 Analyst
Impact
Users of
OnlineAnnounceV2may be the victim of an SQL injection attack. Users with theoa.modpermission who runsetgreetmaybe able to inject arbitrary SQL commands into the greeting resulting in catastrophic data destruction or tampering.Patches
A patched version from @Quinci135 can be compiled. The patched version uses safe parameter passing / "prepared statements" to avoid the SQL injection flaw. The most recent commit includes a version update. This plugin was not submitted to Pryaxis for review and has not been verified, so use of OnlineAnnounce's fork is "at your own risk" until it's submitted for analysis.
Workarounds
Remove the
OnlineAnnounceV2plugin and update to the latest version of TShock, which will refuse to load the vulnerable plugin.