Social Engineering

[StevenFredette]

This is a trick you can play on other people to expose their IP. If you type "//d %r" It will expose your IP in the channel!
%a = number of registered accounts on the server
%c = number of currently existent channels
%g = total number of currently running games
%G = games of users with same client tag
%h = hostname of the server
%H = contact name (as set in bnetd.conf)
%i = userid of the user
%l = username
%N = name of the game the user has connected with
%m = check user's mail when they login
%r = IP of the user
%t = client tag of the user
%u = number of users currently logged in
%U = users logged in with the same client tag
%v = server version

[Edelmetall2k]

Isnt that only the case for Admin accounts?

[RElesgoe]

@Edelmetall2k I believe so

[StevenFredette]

It's the alias doubt command and no admin access needed.

[cen1]

Hmm taking a closer look at this, I believe the core of the problem are the aliases which take an argument since the argument can be a placeholder var described by the op. We don't really want to remove the replacement functionality (can be useful) so my suggestion is to:

1. Remove the default aliases from bnalias.conf.in which take an argument so in default install there is no "exploit".
2. Add a warning to the bnalias.conf.in to server admins who want to use the functionality (document that variable substitution does work on arguments)

@RElesgoe ?