Players are able to attach event handlers to any control on display 12 (map display) and it will not be destroyed if they switch multiplayer servers. This allows players to run client side code on servers they do not have access to.
Description
Description
Details
Details
- Severity
- Major
- Resolution
- Open
- Reproducibility
- Always
- Operating System
- Windows 10 x64
- Category
- Multiplayer
Steps To Reproduce
- Run the following on a local hosted multiplayer server,
((findDisplay 12) displayCtrl 1202) ctrlAddEventHandler ["ButtonClick", " hint 'ran'; "]; (finddisplay 46) closeDisplay 0;
- The following step should of kicked you to the lobby, leave the server and join a different multiplayer server.
- Click the move map to player button.
- Code within event handler runs.
Additional Information
We have fixed this issue on our servers by stripping every event handler. This can also be seen on a popular cheating site, here.