mirror of
https://github.com/Mikaela/Limnoria.git
synced 2024-11-25 12:19:24 +01:00
44bcab1576
* SourceForge broken even their old git clone addresses.
93 lines
8.1 KiB
HTML
93 lines
8.1 KiB
HTML
<!DOCTYPE html>
|
||
<html>
|
||
<head>
|
||
<meta charset="UTF-8" /> <meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mikaela Suomalainen" /> <link rel="canonical" href="https://mkaysi.github.io/limnoria/Supybot.html">
|
||
<title>
|
||
Security issues of Supybot
|
||
</title>
|
||
<link rel="stylesheet" type="text/css" href="css.css" />
|
||
</head>
|
||
<body>
|
||
|
||
<h2 id="latest-version-of-supybot-was-released-in-2009">Latest version of Supybot was released in 2009</h2>
|
||
<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2009 is 0.83.4.1.</p>
|
||
<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
|
||
<h2 id="has-critical-issues">0.83.4.1 has critical issues</h2>
|
||
<p>What issues?</p>
|
||
<h3 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h3>
|
||
<p>And this is very easy. Just run the command</p>
|
||
<pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>
|
||
<p>where ! is the prefix character.</p>
|
||
<p>Misc is loaded by default and cannot be unloaded without modifying the config.</p>
|
||
<h3 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h3>
|
||
<p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>
|
||
<p>For example:</p>
|
||
<pre><code>!math calc factorial(999999)</code></pre>
|
||
<h3 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h3>
|
||
<p>I don't have example command for this, but it happens by nesting "format cut" and "misc tell".</p>
|
||
<p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>
|
||
<h3 id="web-page-with-special-characters-in-title-can-be-used-to-send-dccctcp-commands.">4. Web page with special characters in title can be used to send DCC/CTCP commands.</h3>
|
||
<p>This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f??????????????” 0 0 0 ) which make them reconnect to the internet.</p>
|
||
<p>Usage:</p>
|
||
<pre><code>!web title <malicious.page.here>
|
||
!web fetch <malicious.page.here></code></pre>
|
||
<p>Note that web fetch is disabled by default.</p>
|
||
<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>
|
||
<p><STRONG>Of course they are.</strong> They have been reported to</p>
|
||
<ol class="incremental" style="list-style-type: decimal">
|
||
<li><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></li>
|
||
</ol>
|
||
<ol class="incremental" start="2" style="list-style-type: decimal">
|
||
<li><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</li>
|
||
</ol>
|
||
<p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>
|
||
<ol class="incremental" start="3" style="list-style-type: decimal">
|
||
<li>to their IRC channel.</li>
|
||
</ol>
|
||
<p>Some of them are fixed in git repository, but most people aren't using it.</p>
|
||
<h2 id="how-to-avoid-them">How to avoid them?</h2>
|
||
<p>You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.</p>
|
||
<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
|
||
<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy. Ohloh supports comparing different projescts, <a href="https://www.ohloh.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot">here is comparsion of Limnoria, Gribble and Supybot</a>.</p>
|
||
<p><strong>If you use Debian/Ubuntu or any Debian based distribution, you can get <a href="http://builds.progval.net/limnoria/limnoria-master-HEAD.deb">stable version of Limnoria here</a> or <a href="http://builds.progval.net/limnoria/limnoria-testing-HEAD.deb">testing version here</a>.</strong></p>
|
||
<p>The links above should always be the latest version of Limnoria and they are updated daily.</p>
|
||
<p><a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Gribble_Project_Git_Repository">Gribble modifications when compared to Supybot.</a></p>
|
||
<p><a href="https://github.com/ProgVal/Limnoria/wiki/LGC">Limnoria modifications when compared to Gribble.</a> Features of Gribble have been fully merged to Limnoria.</p>
|
||
<p>Your current botname.conf is <strong>100% compatible with forks</strong>.</p>
|
||
<p><a href="irc://irc.freenode.net/#supybot,#gribble,#limnoria">Join Supybot channels on freenode!</a></p>
|
||
<h2 id="installing-forks">Installing forks</h2>
|
||
<h3 id="for-all-of-them.">For all of them.</h3>
|
||
<p>You should install [pip] (usually python-pip in repositories) and [git].</p>
|
||
<p>Windows users should also install [pip] and [msysgit] and in [msysgit] select to run <strong>unix tools in PATH</strong>.</p>
|
||
<p>Note: pip is included with Python =< 3.4! Python 3 is only supported by Limnoria.</p>
|
||
<p>For <strong>rootless installation and upgrading</strong>, please see <a href="http://supybot.aperio.fr/doc/use/install.html#local-installation">Limnoria's documentation.</a> which you should be able to modify to install stock Supybot or gribble with the information below.</p>
|
||
<p>If you don't have sudo, please simply remove it from beginnings of lines and run the commands as root or Administrator.</p>
|
||
<p>[pip]: [msysgit]:</p>
|
||
<h3 id="supybot">Supybot</h3>
|
||
<p><strong>Not recommended as it's not actively developed.</strong></p>
|
||
<pre><code>sudo pip install git+https://github.com/supybot/supybot.git</code></pre>
|
||
<h3 id="gribble">gribble</h3>
|
||
<p>Less actively developed than Limnoria and doesn't support Python 3.</p>
|
||
<pre><code>sudo pip install git+https://github.com/nanotube/supybot_fixes.git</code></pre>
|
||
<h3 id="limnoria">Limnoria</h3>
|
||
<p>At the time of writing, the most active Supybot fork which includes embedded HTTPd for plugins needing it, supports other languages than English and also runs with Python 3.</p>
|
||
<p>The first command installs requirements of Limnoria and the second Limnoria itself. Only Limnoria has requirements.txt file at the moment.</p>
|
||
<pre><code>sudo pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/requirements.txt
|
||
sudo pip install git+https://github.com/ProgVal/Limnoria.git@master</code></pre>
|
||
<p>[Changelog of this page.]</p>
|
||
[Changelog of this page.]:https://github.com/Mkaysi/Limnoria/commits/gh-pages/Supybot.html
|
||
<script>
|
||
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
||
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
||
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
||
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
|
||
|
||
ga('create', 'UA-40171169-1', 'mkaysi.github.io');
|
||
ga('send', 'pageview');
|
||
|
||
</script>
|
||
</body>
|
||
</html>
|
||
|
||
|