Y
Hacker News
new
|
ask
|
show
|
jobs
by
yagop
3361 days ago
Nice article. I wrote that lua "wrapper" 2 years ago. I used math.js to avoid RCE on bots, turns out math.js API is vulnerable but doesn't affect the wrapper.
1 comments
CapacitorSet
3361 days ago
Did you also write the gnuplot plugin? Because that's also vulnerable, as found by the same @denysvitali:
https://github.com/LucentW/s-uzzbot/issues/9
link
yagop
3361 days ago
That was from @francesco-p (he renammed his account from psykomantis)
https://github.com/yagop/telegram-bot/commit/89b92b4cbf81ce1...
its in my repo but disabled by default.
link
dvitali
3361 days ago
Proof:
http://i.imgur.com/BpLtg0b.png
link
