Limnoria/Supybot.markdown
2014-12-31 16:01:00 +02:00

6.5 KiB
Raw Blame History

All activity happens in git repository of Supybot nowadays and it happens seldomly. The latest version, which was released in 2009 is 0.83.4.1 has multiple security issues documented here. This version is available from Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.

Note: Development has moved from SourceForge to GitHub so I wont refer to the old SF page.

The issues of 0.83.4.1.

1. Anyone can crash it and computer where its running on

And this is very easy. Just run the command

!misc last --regexp m/(.*\w){512}/

where ! is the prefix character.

Misc is loaded by default and cannot be unloaded without modifying the config.

2. The previous wasnt the only way to do this

Everyone can also make the bot count an equation, which brings it and the host computer down.

For example:

!math calc factorial(999999)

This requires Math plugin which comes with Supybot, but isnt load by default.

3. Anyone can access network services via the bot.

I dont have example command for this, but it happens by nesting “format cut” and “misc tell”.

What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.

4. Web page with special characters in <title> can be used to send DCC/CTCP commands.

This doesnt mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.

Usage:

!web title <malicious.page.here>
!web fetch <malicious.page.here>

Are these issues publicly known?

Of course they are. They have been reported to

The first issue has been also used to take down some of Ubuntu IRC bots several times. At least UbotX (I dont remember the number) and meetingology.

Some of these issues are fixed in git repository, but most people arent using it. If you wish to start using it, please scroll down to installation instructions lower this page even though Limnoria and gribble are more recommended.

How to avoid them?

You can add anticapability for these commands using owner defaultcapability, but that is only a temporary solution. There can also be other issues.

There are also two active Supybot forks, known as Limnoria and Gribble, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.

I recommend Limnoria * it seems to be more actively developed. * (activity of Gribble isnt announced anywhere) * it has additional * commands * translations support * plugins * PluginDownloader, which makes installing of 3rd party plugins easy. * NickAuth * Allows identifying to the bot using NickServ account. * all changes of Gribble. * Conditional & MessageParser * [Limnoria also supports SASL and CertFP], which are methods to identify to services automatically.

Interesting things

Your current botname.conf is 100% compatible with forks.

Join Supybot channels on freenode!

Installing forks

For all of them.

You should install pip (usually python-pip and python3-pip in repositories) and git.

Windows users should also install pip and msysgit and in msysgit select to run unix tools in PATH.

Note: pip is included with Python =< 3.4! Python 3 is only supported by Limnoria.

For rootless installation, please see Limnorias documentation. which you should be able to modify to install stock Supybot or gribble with the information below.

If you dont have sudo, please simply remove it from beginnings of lines and run the commands as root or Administrator.

Supybot

Not recommended as its not actively developed.

sudo python -m pip install git+https://github.com/supybot/supybot.git --upgrade

gribble

Less actively developed than Limnoria and doesnt support Python 3.

sudo python -m pip install git+https://github.com/nanotube/supybot_fixes.git --upgrade

Limnoria

At the time of writing, the most active Supybot fork which includes embedded HTTPd for plugins needing it, supports other languages than English and also runs with Python 3.

The first command installs requirements of Limnoria and the second Limnoria itself. Only Limnoria has requirements.txt file at the moment.

sudo python3 -m pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/requirements.txt --upgrade
sudo python3 -m pip install git+https://github.com/ProgVal/Limnoria.git@master --upgrade

python3 -m pip

If you dont have pip for Python3 you can

curl -LO https://bootstrap.pypa.io/get-pip.py
sudo python3 get-pip.py

if curl -LO doesnt work, try replacing it with wget.


Changelog of this page. * * * * *