Limnoria/Supybot.markdown

5.6 KiB
Raw Permalink Blame History

Supybot git repository was declared dead on 2018-05-10 and archived on GitHub. v0.84.0 was the last release at that time. 0.83.4.1 used to be a very common release available through several Linux distributions for years and thus I made this page, which I guess is now available more of for historical reasons.

WARNING: most of the content originates from 2014!

The issues of 0.83.4.1.

1. Anyone can crash it and computer where its running on

And this is very easy. Just run the command

!misc last --regexp m/(.*\w){512}/

where ! is the prefix character.

Misc is loaded by default and cannot be unloaded without modifying the config.

2. The previous wasnt the only way to do this

Everyone can also make the bot count an equation, which brings it and the host computer down.

For example:

!math calc factorial(999999)

This requires Math plugin which comes with Supybot, but isnt load by default.

3. Anyone can access network services via the bot.

I dont have example command for this, but it happens by nesting “format cut” and “misc tell”.

What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.

  • This was only reported at IRC and I am unable to find issue report or fixing commit. ~~Mikaela on 2015-01-04.

4. Web page with special characters in <title> can be used to send DCC/CTCP commands.

This doesnt mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.

Usage:

  • !web title <malicious.page.here>
  • !web fetch <malicious.page.here>

This was only reported at IRC and I am unable to find issue report or fixing commit. ~~Mikaela on 2015-01-04.

5. Web Titlte/Fetch can be used for DoS

They are vulnerable to queries to servers which have custom headers which can lead to DoS.

This was only reported at IRC and I am unable to find issue report or fixing commit. ~~Mikaela on 2015-01-04.

6. QuoteGrabs grab command also works in PM

and can grab private content such as user register or user identify or with the case of owner possibly NickServ passwords and others not so nice things.

Are these issues publicly known?

Of course they are. Issue reports are below the actual issues.

The first issue has been also used to take down some of Ubuntu IRC bots several times. At least UbotX (I dont remember the number) and meetingology.

Some of these issues are fixed in git repository, but most people arent using it. If you wish to start using it, please scroll down to installation instructions lower this page even though Limnoria and gribble are more recommended.

How to avoid them?

You can add anticapability for these commands using owner defaultcapability, but that is only a temporary solution. There can also be other issues.

There are also two active Supybot forks, known as Limnoria and Gribble, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.

Your current botname.conf is 100% compatible with forks.

Join Supybot channels on LiberaChat!

Installing forks

This section has been removed in order to not duplicate Limnorias documentation.


Do you know issue that isnt mentioned here? If its not already reported, please report it on Limnorias issue tracker. If its known, but just not reported here, please feel free to add it.