OpenBullet2 icon indicating copy to clipboard operation
OpenBullet2 copied to clipboard
verified publisher icon openbullet

[REQUEST] Allow root user to decide guest save wordlist file and hit on server or just save in ram cache

Open meisuj815 opened this issue 4 years ago • 5 comments

Is your feature request related to a problem? Please describe. I'm always frustrated when guest allow to save their own file on server, for security concern, it should not save on server side. Also guest maybe don't wanna to save all hit and wordlist on server because of privacy.

Describe the solution you'd like Allow root user to decide guest save wordlist file and hit on server or just save in ram cache For example: https://img.onl/Cw9gsD

meisuj815 avatar Sep 11 '21 13:09 meisuj815

this feature is arleady implemented, please check openbullet settings. image tick off this.

Thanosbin00 avatar Sep 12 '21 05:09 Thanosbin00

if i am correct. Please close the issue.

Thanosbin00 avatar Sep 12 '21 05:09 Thanosbin00

Hi @Thanosbin00 No. I am talking the allow root user to decide guest save wordlist file and hit on server or just save in ram cache, not system-wide file access

https://img.onl/ot1nDG

meisuj815 avatar Sep 12 '21 05:09 meisuj815

The wordlists uploaded by guests will always be saved in UserData/Wordlists and will have a random name. The hits saved on the filesystem in a specified folder will always create a subfolder with the name of the config and then have files called like Hits.txt, ToCheck.txt etc. (nothing user-specified,anyways).

I don't think this can overwrite system files or compromise a system in any way honestly, the users have very little control on what they can write to the disk. So I don't think this will be an issue, correct me if I'm wrong.

The thing that is a little bit worrying instead is the ability to use a File proxy source or a File data pool and putting the path of a sensitive file on disk, and the lines of the file might then appear in the UI (if you enabled the visible log or detailed view, or even as ToCheck hits) so I think removing the ability for guests to use those specific features would be best, I don't see an issue with the ones you mentioned.

openbullet avatar Sep 20 '21 10:09 openbullet

hi @openbullet

I agree with you, some function actually need to disable for guest(optional for root). I can't change the topic. Sad i am losing control of the author account:(

for example those function need to disable:

Main Job- create- Hit option- database && file system image

allow root to decide which JOB type is allow image

allow root to decide config is able to use proxies or not, and stopped file option(security concern: brute-force) image

bestisben-xyz avatar Sep 23 '21 17:09 bestisben-xyz