webMonitor plugin MASSIVE security flaws

[GrimmestDays]

I know the Plugin hasn't been updated in a while nor was it ever finished, so it's pretty much a given it's going to be outdated/broken. However I feel it's worth noting to those who may be using this plugin or interested in it (I saw there was a few such people when I searched the boards for the plugin name), that if you do use this plugin, be careful.

1) This one's obvious. Those that have used it before have probably seen there's no real login page for you. It's just a link that takes you right to the bot overview page..

2) Despite the interface of webMonitor being extremely limited and only displaying basic information related to your character and allowing you to distribute stats, don't be fooled because it still has the capability to run any OpenKore command via other means. Below is a modified URL from the Stat adding feature.
IE: http://localhost:9511/handler?command=[b]COMMAND HERE[/b]&page=default/status.html
Where the COMMAND HERE is, is your command

Essentially with the above anyone with your bot's IP and knowledgeable enough (doing a port scan) to find the port it's operating from can effectively commandeer your bot. No brute forcing passwords necessary.

It is somewhat of a shame that a neat in concept plugin like this has such flaws. Ah well.

[EternalHarvest]

1) This one's obvious. Those that have used it before have probably seen there's no real login page for you. It's just a link that takes you right to the bot overview page..

Looks like it just wasn't finished.

2) http://localhost:9511/handler?command=[b]COMMAND HERE[/b]&page=default/status.html

It looks like that kind of request is intended to run any command, since some kind of authorization was assumed. However, it shouldn't use GET method anyway.