Mikaela
/
Limnoria
mirror of https://github.com/Mikaela/Limnoria.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add files

This commit is contained in:
Mikaela Suomalainen 2014-05-16 15:51:00 +03:00
parent 5505bb0dcc
commit 75bc861068
10 changed files with 454 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
Supybot.html Normal file
View File

@ -0,0 +1,101 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://mkaysi.github.io/Limnoria/Supybot.html">
<title>
Security issues of Supybot
</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
<h1 id="latest-version-of-supybot-was-released-in-2005">Latest version of Supybot was released in 2005</h1>
<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.</p>
<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
<h1 id="has-critical-issues">0.83.4.1 has critical issues</h1>
<p>What issues?</p>
<h2 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h2>
<p>And this is very easy. Just run the command</p>
<pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>
<p>where ! is the prefix character.</p>
<p>Misc is loaded by default and cannot be unloaded without modifying the config.</p>
<h2 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h2>
<p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>
<p>For example:</p>
<pre><code>!math calc factorial(999999)</code></pre>
<h2 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h2>
<p>I don't have example command for this, but it happens by nesting &quot;format cut&quot; and &quot;misc tell&quot;.</p>
<p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>
<h2 id="web-page-with-special-characters-in-title-can-be-used-to-send-dccctcp-commands.">4. Web page with special characters in title can be used to send DCC/CTCP commands.</h2>
<p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.</p>
<p>Usage:</p>
<pre><code>!web title &lt;malicious.page.here&gt;
!web fetch &lt;malicious.page.here&gt;</code></pre>
<p>Note that web fetch is disabled by default.</p>
<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>
<p><STRONG>Of course they are.</strong> They have been reported to</p>
<ol class="incremental" style="list-style-type: decimal">
<li><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></li>
</ol>
<ol class="incremental" start="2" style="list-style-type: decimal">
<li><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</li>
</ol>
<p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>
<ol class="incremental" start="3" style="list-style-type: decimal">
<li>to their IRC channel.</li>
</ol>
<p>Some of them are fixed in git repository, but most people aren't using it.</p>
<h2 id="how-to-avoid-them">How to avoid them?</h2>
<p>You can add anticapability for these commands using &quot;owner defaultcapability&quot;, but that is only a temporary solution. There can also be other issues.</p>
<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, <a href="https://www.ohloh.net/p/compare?project_0=Limnoria&amp;project_1=Gribble%3A+Support+Bottie&amp;project_2=Supybot">here is comparsion of Limnoria, Gribble and Supybot</a>.</p>
<p><strong>If you use Debian/Ubuntu or any Debian based distribution, you can get <a href="http://builds.progval.net/limnoria/limnoria-master-HEAD.deb">stable version of Limnoria here</a> or <a href="http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb">testing version here</a>.</strong></p>
<p>The links above should always be the latest version of Limnoria and they are updated daily.</p>
<p><a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository">Gribble modifications when compared to Supybot.</a></p>
<p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble have been fully merged to Limnoria.</p>
<p>Your current botname.conf is <strong>100% compatible with forks</strong>.</p>
<p><a href="irc://irc.freenode.net/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p>
<p><a href="https://github.com/Mkaysi/mkaysi.github.com/commits/master/IRC/Supybot.html.md">Changelog of this page.</a></p>
<hr/>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_developer = 0;
var disqus_url = 'http://mkaysi.github.com/IRC/Supybot.html';
var disques_title = 'Security issues of Supybot';
var disqus_shortname = 'mkaysishomepage'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async =
true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0])
.appendChild(dsq);
})();
</script>
<noscript>
Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Dis qus.</a>
</noscript>
<p>
<a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus </span></a>
</p>
<!-- vim : set ft=html -->
</body>
</html>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-40171169-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

167
Supybot.html.md Normal file
View File

@ -0,0 +1,167 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta name="description" content="Supybot security issues," />
<meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" />
<meta name="author" content="Mikaela Suomalainen" />
<link rel="canonical" href="https://mkaysi.github.io/Limnoria/Supybot.html">
<title>Security issues of Supybot</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
# Latest version of Supybot was released in 2005
All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.
It's available from [SourceForge], Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.
[SourceForge]:http://supybot.sf.net/
# 0.83.4.1 has critical issues
What issues?
## 1. Anyone can crash it and computer where it's running on
And this is very easy. Just run the command
```
!misc last --regexp m/(.*\w){512}/
```
where ! is the prefix character.
Misc is loaded by default and cannot be unloaded without modifying the config.
## 2. The previous wasn't the only way to do this
Everyone can also make the bot count an equation, which brings it and the host computer down.
For example:
```
!math calc factorial(999999)
```
## 3. Anyone can access network services via the bot.
I don't have example command for this, but it happens by nesting "format cut" and "misc tell".
What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.
## 4. Web page with special characters in title can be used to send DCC/CTCP commands.
This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make
them reconnect to the internet.
Usage:
```
!web title <malicious.page.here>
!web fetch <malicious.page.here>
```
Note that web fetch is disabled by default.
# Are these issues publicly known?
<STRONG>Of course they are.</strong> They have been reported to
1. [Ubuntu], [issue 1] and [issue 2]
[Ubuntu]:http://ubuntu.com/
[issue 1]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947
[issue 2]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950
2. [Debian], [issue 1] and [issue 2].
[Debian]:http://debian.org/
[issue 1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214
[issue 2]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215
The first issue has been also used to take down some of [Ubuntu IRC bots] several times. At least UbotX (I don't remember the number) and meetingology.
[Ubuntu IRC bots]:https://wiki.ubuntu.com/IRC/Bots
3. to their IRC channel.
Some of them are fixed in git repository, but most people aren't using it.
## How to avoid them?
You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.
There are also two active Supybot forks, known as [Limnoria] and [Gribble], which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.
I recommend [Limnoria], because it seems to be more active (activity of [Gribble] isn't announced anywhere) and it has additional commands, translations and new plugin called [PluginDownloader], which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, [here is comparsion of Limnoria, Gribble and Supybot](https://www.ohloh.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
<strong>If you use Debian/Ubuntu or any Debian based distribution, you can get [stable version of Limnoria here] or [testing version here].</strong>
The links above should always be the latest version of Limnoria and they are updated daily.
[stable version of Limnoria here]:http://builds.progval.net/limnoria/limnoria-master-HEAD.deb
[testing version here]:http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb
[Gribble modifications when compared to Supybot.]
[Limnoria modifications when compared to Gribble.] Features of Gribble have been fully merged to Limnoria.
[Gribble modifications when compared to Supybot.]:http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository
[Limnoria modifications when compared to Gribble.]:https://github.com/ProgVal/Limnoria/wiki/LGC
Your current botname.conf is <strong>100% compatible with forks</strong>.
[Join Supybot channels on freenode!]
[Limnoria]:https://github.com/ProgVal/Limnoria
[Gribble]:http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page
[PluginDownloader]:https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader
[Join Supybot channels on freenode!]:irc://irc.freenode.net/#supybot,#gribble,#limnoria
[Changelog of this page.]
[Changelog of this page.]:https://github.com/Mkaysi/mkaysi.github.com/commits/master/IRC/Supybot.html.md
<hr/>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
var disqus_developer = 0;
var disqus_url = 'http://mkaysi.github.com/IRC/Supybot.html';
var disques_title = 'Security issues of Supybot';
var disqus_shortname = 'mkaysishomepage'; // required: replace example with your forum shortname
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async =
true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0])
.appendChild(dsq);
})();
</script>
<noscript>
Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Dis
qus.</a>
</noscript>
<p><a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus
</span></a></p>
<!-- vim : set ft=html -->
</body>
</html>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-40171169-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

37
css.css Normal file
View File

@ -0,0 +1,37 @@
h1,
h2,
h3,
h4,
h5,
h6 {
color: #FFFFFF;
background-color: #000000;
text-align: center
}
body {
color: #FFFFFF;
background-color: #000000;
font-family: "DejaVu Sans", Ubuntu, Arial, Arial, Helvetica, sans-serif;
text-align: justify-center
}
pre {
color: #000000;
background-color: #FFFFFF;
font-family: "Ubuntu Mono", "DejaVu Sans Mono", Courier, "Courier New";
}
a:link {
color: #66FF66
}
a:visited {
color: red
}
img {
display: inherit;
margin-left: auto;
margin-right: auto
}

19
header.html Normal file
View File

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <!-- <meta http-equiv="refresh" content="60" /> --> <meta name="description" content="Header" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://mkaysi.github.io/Limnoria/header.html">
<title>
Header
</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
</body>
</html>
<!-- vim : set ft=html -->

19
header.html.md Normal file
View File

@ -0,0 +1,19 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<!-- <meta http-equiv="refresh" content="60" /> -->
<meta name="description" content="Header" />
<meta name="author" content="Mikaela Suomalainen" />
<link rel="canonical" href="https://mkaysi.github.io/Limnoria/header.html">
<title>Header</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
</body>
</html>
<!-- vim : set ft=html -->

17
index.html Normal file
View File

@ -0,0 +1,17 @@
<!DOCTYPE html>
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="content-type">
<meta name="description" content="Mikaela's Supybot related pages. This will contain everything useful that was Supybot-related from my old GH-pages repo.">
<meta name="author" content="Mikaela Suomalainen">
<title>Mikaela's Supybot site</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<frameset rows="100,*" frameborder="0" framespacing="0" border="0">
<frame src="header.html" name="header" marginwidth="0" marginheight="0"
scrolling="no"> <frameset cols="150,*" frameborder="0" framespacing="0" border="0">
<frame src="navbar.html" name="left" marginwidth="0" marginheight="0" scrolling="no">
<frame src="index.real.html" name="right" marginwidth="0" marginheight="0"> </frameset>
</frameset> <font face="verdana" size="1">
</font>
</html>

20
index.real.html Normal file
View File

@ -0,0 +1,20 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <!-- <meta http-equiv="refresh" content="60" /> --> <meta name="description" content="Insert description here" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://">
<title>
The real index (not-iframe)
</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
<p>Welcome to Mikaela's Supybot pages. These are what remains of mkaysi.github.io's old Supybot related pages.</p>
<p>This site isn't official and won't help with most of issues. In case you are looking for official sites, they are here:</p>
<p>+<a href="http://supybook.fealdia.org/devel/">Supybook</a> +<a href="http://supybot.aperio.fr/">Supybot Website</a> +<a href="http://qa.supybot.aperio.fr/">Q &amp; A website</a> +<a href="http://supybot.aperio.fr/doc/">Limnoria official documentation</a> +<a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble Wiki</a></p>
<p>If you cannot find what you are looking for from them, please come to IRC and ask. The Support channels are <a href="ircs://chat.freenode.net:6697/#supybot,#limnoria">#supybot,#limnoria on chat.freenode.net</a></p>
</body>
</html>
<!-- vim : set ft=html -->

31
index.real.html.md Normal file
View File

@ -0,0 +1,31 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<!-- <meta http-equiv="refresh" content="60" /> -->
<meta name="description" content="Insert description here" />
<meta name="author" content="Mikaela Suomalainen" />
<link rel="canonical" href="https://">
<title>The real index (not-iframe)</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
Welcome to Mikaela's Supybot pages. These are what remains of
mkaysi.github.io's old Supybot related pages.
This site isn't official and won't help with most of issues. In case you
are looking for official sites, they are here:
+[Supybook](http://supybook.fealdia.org/devel/)
+[Supybot Website](http://supybot.aperio.fr/)
+[Q & A website](http://qa.supybot.aperio.fr/)
+[Limnoria official documentation](http://supybot.aperio.fr/doc/)
+[Gribble Wiki](http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page)
If you cannot find what you are looking for from them, please come to IRC
and ask. The Support channels are [#supybot,#limnoria on chat.freenode.net](ircs://chat.freenode.net:6697/#supybot,#limnoria)
</body>
</html>
<!-- vim : set ft=html -->

20
navbar.html Normal file
View File

@ -0,0 +1,20 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" /> <!-- <meta http-equiv="refresh" content="60" /> --> <meta name="description" content="Navigation panel" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://mkaysi.github.io/Limnoria/navbar.html">
<title>
Navigation bar
</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
<p><strong>On-site links</strong></p>
<p><a href="index.real.html" target="right">Index</a></p>
<p><a href="Security issues of Supybot" target="right">Security issues of Supybot</a></p>
<!-- **Off-site links** -->
</body>
</html>
<!-- vim : set ft=markdown -->

23
navbar.html.md Normal file
View File

@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<!-- <meta http-equiv="refresh" content="60" /> -->
<meta name="description" content="Navigation panel" />
<meta name="author" content="Mikaela Suomalainen" />
<link rel="canonical" href="https://mkaysi.github.io/Limnoria/navbar.html">
<title>Navigation bar</title>
<link rel="stylesheet" type="text/css" href="css.css" />
</head>
<body>
**On-site links**
<a href="index.real.html" target="right">Index</a>
<a href="Security issues of Supybot" target="right">Security issues of Supybot</a>
<!-- **Off-site links** -->
</body>
</html>
<!-- vim : set ft=markdown -->