Limnoria/Supybot.html.md
Mikaela Suomalainen bef7ecc02b Add GA.
I am interested in seeing does anyone ever even look at these pages, but
most of Supybot users who are on their channels have probable opted out
of analytics or have extension to do that.
2014-06-09 14:31:50 +03:00

5.5 KiB
Raw Blame History

<!DOCTYPE html> <html> <head> </head>

Latest version of Supybot was released in 2009

All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2009 is 0.83.4.1.

Its available from SourceForge, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.

0.83.4.1 has critical issues

What issues?

1. Anyone can crash it and computer where its running on

And this is very easy. Just run the command

!misc last --regexp m/(.*\w){512}/

where ! is the prefix character.

Misc is loaded by default and cannot be unloaded without modifying the config.

2. The previous wasnt the only way to do this

Everyone can also make the bot count an equation, which brings it and the host computer down.

For example:

!math calc factorial(999999)

3. Anyone can access network services via the bot.

I dont have example command for this, but it happens by nesting “format cut” and “misc tell”.

What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.

4. Web page with special characters in title can be used to send DCC/CTCP commands.

This doesnt mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.

Usage:

!web title <malicious.page.here>
!web fetch <malicious.page.here>

Note that web fetch is disabled by default.

Are these issues publicly known?

Of course they are. They have been reported to

  1. Ubuntu, issue 1 and issue 2
  1. Debian, issue 1 and issue 2.

The first issue has been also used to take down some of Ubuntu IRC bots several times. At least UbotX (I dont remember the number) and meetingology.

  1. to their IRC channel.

Some of them are fixed in git repository, but most people arent using it.

How to avoid them?

You can add anticapability for these commands using “owner defaultcapability”, but that is only a temporary solution. There can also be other issues.

There are also two active Supybot forks, known as Limnoria and Gribble, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.

I recommend Limnoria, because it seems to be more active (activity of Gribble isnt announced anywhere) and it has additional commands, translations and new plugin called PluginDownloader, which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, here is comparsion of Limnoria, Gribble and Supybot.

If you use Debian/Ubuntu or any Debian based distribution, you can get stable version of Limnoria here or testing version here.

The links above should always be the latest version of Limnoria and they are updated daily.

Gribble modifications when compared to Supybot.

Limnoria modifications when compared to Gribble. Features of Gribble have been fully merged to Limnoria.

Your current botname.conf is 100% compatible with forks.

Join Supybot channels on freenode!

Changelog of this page.

</html>