Limnoria/Supybot.markdown

146 lines
5.6 KiB
Markdown
Raw Normal View History

2014-12-31 15:01:00 +01:00
---
layout: page
title: Security issues
permalink: /Supybot.html
---
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
<!-- @format -->
Supybot git repository was declared dead on 2018-05-10 and archived on GitHub.
[v0.84.0 was the last release at that time](https://github.com/Supybot/Supybot/releases/tag/v0.84.0).
0.83.4.1 used to be a very common release available through several Linux
distributions for years and thus I made this page, which I guess is now
available more of for historical reasons.
2023-09-29 12:39:44 +02:00
**_WARNING: most of the content originates from 2014!_**
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
## The issues of 0.83.4.1.
2014-05-16 14:51:00 +02:00
### 1. Anyone can crash it and computer where it's running on
2014-05-16 14:51:00 +02:00
2023-09-29 12:39:44 +02:00
And this is very easy. Just run the command
2014-05-16 14:51:00 +02:00
2024-05-25 10:01:09 +02:00
`!misc last --regexp m/(.*\w){512}/`
2014-05-16 14:51:00 +02:00
where ! is the prefix character.
2024-07-06 09:25:01 +02:00
Misc is loaded by default and cannot be unloaded without modifying the config.
2014-05-16 14:51:00 +02:00
2023-09-29 12:39:44 +02:00
- [Limnoria issue #157](https://github.com/ProgVal/Limnoria/issues/157)
2024-07-06 09:25:01 +02:00
- Fixing commits:
[3526d5d](https://github.com/ProgVal/Limnoria/commit/3526d5dabf587457a43af8bee8d4db21986e8222)
&
[e11dc28](https://github.com/ProgVal/Limnoria/commit/e11dc28025de877b1b6cf059013eef88337b7e44)
2023-09-29 12:39:44 +02:00
- [Ubuntu bug #996947](https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947)
- [Debian bug #672214](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214)
2015-01-04 09:18:59 +01:00
### 2. The previous wasn't the only way to do this
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
Everyone can also make the bot count an equation, which brings it and the host
computer down.
2014-05-16 14:51:00 +02:00
For example:
2024-05-25 10:01:09 +02:00
`!math calc factorial(999999)`
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
This requires Math plugin which comes with Supybot, but isn't load by default.
2014-06-29 17:59:32 +02:00
2023-09-29 12:39:44 +02:00
- [Limnoria issue #354](https://github.com/ProgVal/Limnoria/issues/354)
2024-07-06 09:25:01 +02:00
- Fixing commit:
[695078e](https://github.com/ProgVal/Limnoria/commit/695078edeb91e5ff1eec728fedf0e0c27b55c505)
2023-09-29 12:39:44 +02:00
- [Ubuntu bug #996950](https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950)
- [Debian bug 672215](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215)
2015-01-04 09:18:59 +01:00
### 3. Anyone can access network services via the bot.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
I don't have example command for this, but it happens by nesting "format cut"
and "misc tell".
2014-05-16 14:51:00 +02:00
2014-12-31 15:01:00 +01:00
What does this mean? Anyone can tell the bot to ghost someone else on same
2024-07-06 09:25:01 +02:00
account, take over a channel by telling the bot to give flags (if it has correct
flags), change password of the account and everything else what you do with
network services.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
- _This was only reported at IRC and I am unable to find issue report or fixing
commit. ~~Mikaela on 2015-01-04._
2014-06-29 18:06:18 +02:00
### 4. Web page with special characters in \<title\> can be used to send DCC/CTCP commands.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
This doesn't mean only things like CTCP actions (also known as /me), but known
problems with old routers ( `FF ? DCC SEND “ff???f??????????????” 0 0 0` ) which
make them reconnect to the internet.
2014-05-16 14:51:00 +02:00
Usage:
2024-05-25 10:01:09 +02:00
- `!web title <malicious.page.here>`
- `!web fetch <malicious.page.here>`
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
_This was only reported at IRC and I am unable to find issue report or fixing
commit. ~~Mikaela on 2015-01-04._
2015-01-04 09:18:59 +01:00
### 5. Web Titlte/Fetch can be used for DoS
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
They are vulnerable to queries to servers which have custom headers which can
lead to DoS.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
_This was only reported at IRC and I am unable to find issue report or fixing
commit. ~~Mikaela on 2015-01-04._
2015-01-04 09:18:59 +01:00
### 6. QuoteGrabs grab command also works in PM
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
and can grab private content such as `user register` or `user identify` or with
the case of owner possibly NickServ passwords and others not so nice things.
2015-01-04 09:18:59 +01:00
2023-09-29 12:39:44 +02:00
- _It appears this issue was only reported at IRC._
2024-07-06 09:25:01 +02:00
- Fixing commit:
[a3346343679f3bdf8c77d9efb5a2097e215d51df](https://github.com/ProgVal/Limnoria/commit/a3346343679f3bdf8c77d9efb5a2097e215d51df)
2015-01-04 09:18:59 +01:00
### Are these issues publicly known?
**Of course they are.** Issue reports are below the actual issues.
2014-05-16 14:51:00 +02:00
2014-12-31 15:01:00 +01:00
The first issue has been also used to take down some of
2024-07-06 09:25:01 +02:00
[Ubuntu IRC bots](https://wiki.ubuntu.com/IRC/Bots) several times. At least
UbotX (I don't remember the number) and meetingology.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
Some of these issues are fixed in git repository, but most people aren't using
it. If you wish to start using it, please scroll down to installation
instructions lower this page even though [Limnoria] and [gribble] are more
recommended.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
### How to avoid them?
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
You can add anticapability for these commands using `owner defaultcapability`,
but that is only a temporary solution. There can also be other issues.
2014-05-16 14:51:00 +02:00
2024-07-06 09:25:01 +02:00
There are also two active Supybot forks, known as [Limnoria] and [Gribble],
which are actively developed and have fixed these issues. If you want permanent
solution, you should install either of them.
2014-05-16 14:51:00 +02:00
2015-01-04 10:06:41 +01:00
## Possibly interesting links
2014-06-29 18:19:47 +02:00
2023-09-29 12:39:44 +02:00
- [Comparsion of commit activity between Limnoria, Gribble and Supybot](https://www.openhub.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
- [Gribble's modifications to stock Supybot](https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/)
- [Limnoria's modifications to Gribble.](https://github.com/ProgVal/Limnoria/wiki/LGC)
- Features of Gribble are fully merged to Limnoria.
2014-05-16 14:51:00 +02:00
2014-06-29 17:59:32 +02:00
Your current botname.conf is **100% compatible with forks**.
2014-05-16 14:51:00 +02:00
2024-05-25 10:01:09 +02:00
[Join Supybot channels on LiberaChat!](ircs://irc.libera.chat:6697/#supybot,#gribble,#limnoria)
2014-05-16 14:51:00 +02:00
2023-09-29 12:39:44 +02:00
[Limnoria]: https://github.com/ProgVal/Limnoria
[Gribble]: http://github.com/nanotube/supybot_fixes
2014-05-16 14:51:00 +02:00
2014-06-29 11:21:43 +02:00
## Installing forks
2023-09-29 12:39:44 +02:00
_This section has been removed in order to not duplicate
[Limnoria's documentation.](http://doc.supybot.aperio.fr/en/latest/use/install.html)_
2015-01-04 09:25:10 +01:00
2023-09-29 12:39:44 +02:00
---
2015-01-04 09:25:10 +01:00
Do you know issue that isn't mentioned here? If it's not already reported,
2024-07-06 09:25:01 +02:00
please report it
on [Limnoria's issue tracker.](https://github.com/ProgVal/Limnoria/issues) If
it's known, but just not reported here,
[please feel free to add it.](https://github.com/Mikaela/limnoria/edit/gh-pages/Supybot.markdown)