Mikaela/Limnoria
1
0
Fork 0
mirror of https://github.com/Mikaela/Limnoria.git synced 2024-11-20 01:19:26 +01:00
Code Issues Projects Releases Wiki Activity
4eb390903f
Limnoria/Supybot.markdown
Mikaela Suomalainen b9d9e67307 Supybot.markdown: remove changelog link 
it got lost history on rename and history can more reliably be found
from GitHub anyway.
2014-12-31 16:20:26 +02:00

198 lines
6.4 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: page
title: Security issues
permalink: /Supybot.html
---
All activity happens in git repository of Supybot nowadays and it happens
seldomly. The latest version, which was released in 2009 is 0.83.4.1
has multiple security issues documented here. This version is available
from Debian repositories, Ubuntu repositories and repositories of many
other Linux distributions.
**Note: Development has moved from SourceForge to GitHub so I won't refer
to the old SF page.**
## The issues of 0.83.4.1.
### 1. Anyone can crash it and computer where it's running on
And this is very easy. Just run the command
```
!misc last --regexp m/(.*\w){512}/
```
where ! is the prefix character.
Misc is loaded by default and cannot be unloaded without modifying the
config.
### 2. The previous wasn't the only way to do this
Everyone can also make the bot count an equation, which brings it and the
host computer down.
For example:
```
!math calc factorial(999999)
```
This requires Math plugin which comes with Supybot, but isn't load by
default.
### 3. Anyone can access network services via the bot.
I don't have example command for this, but it happens by nesting
"format cut" and "misc tell".
What does this mean? Anyone can tell the bot to ghost someone else on same
account, take over a channel by telling the bot to give flags
(if it has correct flags), change password of the account and everything
else what you do with network services.
### 4. Web page with special characters in \<title\> can be used to send DCC/CTCP commands.
This doesn't mean only things like CTCP actions (also known as /me),
but known problems with old routers
( `FF ? DCC SEND “ff???f??????????????” 0 0 0` ) which make them reconnect
to the internet.
Usage:
```
!web title <malicious.page.here>
!web fetch <malicious.page.here>
```
### Are these issues publicly known?
**Of course they are.** They have been reported to
* [Ubuntu](https://ubuntu.com)
* [issue 1](http://pad.lv/996947])
* [issue 2](http://pad.lv/996950)
* [Debian](https://debian.org/)
* [issue 1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214)
* [issue 2](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215)
* [#supybot](ircs://chat.freenode.net:6697/#supybot)
The first issue has been also used to take down some of
[Ubuntu IRC bots](https://wiki.ubuntu.com/IRC/Bots) several times.
At least UbotX (I don't remember the number) and meetingology.
Some of these issues are fixed in git repository, but most people aren't
using it. If you wish to start using it, please scroll down to
installation instructions lower this page even though [Limnoria] and
[gribble] are more recommended.
### How to avoid them?
You can add anticapability for these commands using
`owner defaultcapability`, but that is only a temporary solution.
There can also be other issues.
There are also two active Supybot forks, known as [Limnoria] and
[Gribble], which are actively developed and have fixed these issues.
If you want permanent solution, you should install either of them.
I recommend [Limnoria]
* it seems to be more actively developed.
* (activity of [Gribble] isn't announced anywhere)
* it has additional
* commands
* translations support
* plugins
* [PluginDownloader], which makes installing of
3rd party plugins easy.
* NickAuth
* Allows identifying to the bot using NickServ account.
* all changes of [Gribble].
* Conditional & MessageParser
* [Limnoria also supports SASL and CertFP], which are methods to
[identify to services automatically.](https://mkaysi.github.io/pages/external/identifying.html)
## Interesting things
* [Comparsion of commit activity between Limnoria, Gribble and Supybot](https://www.openhub.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
* [Gribble's modifications to stock Supybot](https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/)
* SourceForge and that link are a little broken, when they are moved
elsewhere, please remove this notice!
* [Limnoria's modifications to Gribble.](https://github.com/ProgVal/Limnoria/wiki/LGC)
* Features of Gribble are fully merged to Limnoria.
Your current botname.conf is **100% compatible with forks**.
[Join Supybot channels on freenode!](ircs://chat.freenode.net:6697/#supybot,#gribble,#limnoria)
[Limnoria]:https://github.com/ProgVal/Limnoria
[Gribble]:http://github.com/nanotube/supybot_fixes
[PluginDownloader]:https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader
## Installing forks
### For all of them.
You should install [pip] (usually python-pip and python3-pip in
repositories) and [git].
Windows users should also install [pip] and [msysgit] and in [msysgit]
select to run **unix tools in PATH**.
Note: pip is included with Python =< 3.4! Python 3 is only supported by
Limnoria.
For **rootless installation**, please see
[Limnoria's documentation.](http://supybot.aperio.fr/doc/use/install.html#local-installation) which you should be able to modify to install stock
Supybot or gribble with the information below.
If you don't have sudo, please simply remove it from beginnings of lines
and run the commands as root or Administrator.
[git]:http://git-scm.com/
[pip]:http://pip.readthedocs.org/en/latest/reference/pythonpip_install.html
[msysgit]:https://msysgit.github.io/
### Supybot
**Not recommended as it's not actively developed.**
```
sudo python -m pip install git+https://github.com/supybot/supybot.git --upgrade
```
### gribble
Less actively developed than Limnoria and doesn't support Python 3.
```
sudo python -m pip install git+https://github.com/nanotube/supybot_fixes.git --upgrade
```
### Limnoria
At the time of writing, the most active Supybot fork which includes
embedded HTTPd for plugins needing it, supports other languages than
English and also runs with Python 3.
The first command installs requirements of Limnoria and the second
Limnoria itself. Only Limnoria has requirements.txt file at the moment.
```
sudo python3 -m pip install -r https://raw.githubusercontent.com/ProgVal/Limnoria/master/requirements.txt --upgrade
sudo python3 -m pip install git+https://github.com/ProgVal/Limnoria.git@master --upgrade
```
#### python3 -m pip
If you don't have pip for Python3 you can
```
curl -LO https://bootstrap.pypa.io/get-pip.py
sudo python3 get-pip.py
```
if `curl -LO` doesn't work, try replacing it with `wget`.
Reference in New Issue View Git Blame Copy Permalink