mirror of
				https://github.com/Mikaela/Limnoria.git
				synced 2025-10-24 21:17:22 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			146 lines
		
	
	
		
			5.6 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			146 lines
		
	
	
		
			5.6 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | ||
| layout: page
 | ||
| title: Security issues
 | ||
| permalink: /Supybot.html
 | ||
| ---
 | ||
| 
 | ||
| <!-- @format -->
 | ||
| 
 | ||
| Supybot git repository was declared dead on 2018-05-10 and archived on GitHub.
 | ||
| [v0.84.0 was the last release at that time](https://github.com/Supybot/Supybot/releases/tag/v0.84.0).
 | ||
| 0.83.4.1 used to be a very common release available through several Linux
 | ||
| distributions for years and thus I made this page, which I guess is now
 | ||
| available more of for historical reasons.
 | ||
| 
 | ||
| **_WARNING: most of the content originates from 2014!_**
 | ||
| 
 | ||
| ## The issues of 0.83.4.1.
 | ||
| 
 | ||
| ### 1. Anyone can crash it and computer where it's running on
 | ||
| 
 | ||
| And this is very easy. Just run the command
 | ||
| 
 | ||
| `!misc last --regexp m/(.*\w){512}/`
 | ||
| 
 | ||
| where ! is the prefix character.
 | ||
| 
 | ||
| Misc is loaded by default and cannot be unloaded without modifying the config.
 | ||
| 
 | ||
| - [Limnoria issue #157](https://github.com/ProgVal/Limnoria/issues/157)
 | ||
|   - Fixing commits:
 | ||
|     [3526d5d](https://github.com/ProgVal/Limnoria/commit/3526d5dabf587457a43af8bee8d4db21986e8222)
 | ||
|     &
 | ||
|     [e11dc28](https://github.com/ProgVal/Limnoria/commit/e11dc28025de877b1b6cf059013eef88337b7e44)
 | ||
| - [Ubuntu bug #996947](https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947)
 | ||
| - [Debian bug #672214](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214)
 | ||
| 
 | ||
| ### 2. The previous wasn't the only way to do this
 | ||
| 
 | ||
| Everyone can also make the bot count an equation, which brings it and the host
 | ||
| computer down.
 | ||
| 
 | ||
| For example:
 | ||
| 
 | ||
| `!math calc factorial(999999)`
 | ||
| 
 | ||
| This requires Math plugin which comes with Supybot, but isn't load by default.
 | ||
| 
 | ||
| - [Limnoria issue #354](https://github.com/ProgVal/Limnoria/issues/354)
 | ||
|   - Fixing commit:
 | ||
|     [695078e](https://github.com/ProgVal/Limnoria/commit/695078edeb91e5ff1eec728fedf0e0c27b55c505)
 | ||
| - [Ubuntu bug #996950](https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950)
 | ||
| - [Debian bug 672215](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215)
 | ||
| 
 | ||
| ### 3. Anyone can access network services via the bot.
 | ||
| 
 | ||
| I don't have example command for this, but it happens by nesting "format cut"
 | ||
| and "misc tell".
 | ||
| 
 | ||
| What does this mean? Anyone can tell the bot to ghost someone else on same
 | ||
| account, take over a channel by telling the bot to give flags (if it has correct
 | ||
| flags), change password of the account and everything else what you do with
 | ||
| network services.
 | ||
| 
 | ||
| - _This was only reported at IRC and I am unable to find issue report or fixing
 | ||
|   commit. ~~Mikaela on 2015-01-04._
 | ||
| 
 | ||
| ### 4. Web page with special characters in \<title\> can be used to send DCC/CTCP commands.
 | ||
| 
 | ||
| This doesn't mean only things like CTCP actions (also known as /me), but known
 | ||
| problems with old routers ( `FF ? DCC SEND “ff???f??????????????” 0 0 0` ) which
 | ||
| make them reconnect to the internet.
 | ||
| 
 | ||
| Usage:
 | ||
| 
 | ||
| - `!web title <malicious.page.here>`
 | ||
| - `!web fetch <malicious.page.here>`
 | ||
| 
 | ||
| _This was only reported at IRC and I am unable to find issue report or fixing
 | ||
| commit. ~~Mikaela on 2015-01-04._
 | ||
| 
 | ||
| ### 5. Web Titlte/Fetch can be used for DoS
 | ||
| 
 | ||
| They are vulnerable to queries to servers which have custom headers which can
 | ||
| lead to DoS.
 | ||
| 
 | ||
| _This was only reported at IRC and I am unable to find issue report or fixing
 | ||
| commit. ~~Mikaela on 2015-01-04._
 | ||
| 
 | ||
| ### 6. QuoteGrabs grab command also works in PM
 | ||
| 
 | ||
| and can grab private content such as `user register` or `user identify` or with
 | ||
| the case of owner possibly NickServ passwords and others not so nice things.
 | ||
| 
 | ||
| - _It appears this issue was only reported at IRC._
 | ||
|   - Fixing commit:
 | ||
|     [a3346343679f3bdf8c77d9efb5a2097e215d51df](https://github.com/ProgVal/Limnoria/commit/a3346343679f3bdf8c77d9efb5a2097e215d51df)
 | ||
| 
 | ||
| ### Are these issues publicly known?
 | ||
| 
 | ||
| **Of course they are.** Issue reports are below the actual issues.
 | ||
| 
 | ||
| The first issue has been also used to take down some of
 | ||
| [Ubuntu IRC bots](https://wiki.ubuntu.com/IRC/Bots) several times. At least
 | ||
| UbotX (I don't remember the number) and meetingology.
 | ||
| 
 | ||
| Some of these issues are fixed in git repository, but most people aren't using
 | ||
| it. If you wish to start using it, please scroll down to installation
 | ||
| instructions lower this page even though [Limnoria] and [gribble] are more
 | ||
| recommended.
 | ||
| 
 | ||
| ### How to avoid them?
 | ||
| 
 | ||
| You can add anticapability for these commands using `owner defaultcapability`,
 | ||
| but that is only a temporary solution. There can also be other issues.
 | ||
| 
 | ||
| There are also two active Supybot forks, known as [Limnoria] and [Gribble],
 | ||
| which are actively developed and have fixed these issues. If you want permanent
 | ||
| solution, you should install either of them.
 | ||
| 
 | ||
| ## Possibly interesting links
 | ||
| 
 | ||
| - [Comparsion of commit activity between Limnoria, Gribble and Supybot](https://www.openhub.net/p/compare?project_0=Limnoria&project_1=Gribble%3A+Support+Bottie&project_2=Supybot).
 | ||
| - [Gribble's modifications to stock Supybot](https://sourceforge.net/p/gribble/wiki/Gribble_Project_Git_Repository/)
 | ||
| - [Limnoria's modifications to Gribble.](https://github.com/ProgVal/Limnoria/wiki/LGC)
 | ||
|   - Features of Gribble are fully merged to Limnoria.
 | ||
| 
 | ||
| Your current botname.conf is **100% compatible with forks**.
 | ||
| 
 | ||
| [Join Supybot channels on LiberaChat!](ircs://irc.libera.chat:6697/#supybot,#gribble,#limnoria)
 | ||
| 
 | ||
| [Limnoria]: https://github.com/ProgVal/Limnoria
 | ||
| [Gribble]: http://github.com/nanotube/supybot_fixes
 | ||
| 
 | ||
| ## Installing forks
 | ||
| 
 | ||
| _This section has been removed in order to not duplicate
 | ||
| [Limnoria's documentation.](http://doc.supybot.aperio.fr/en/latest/use/install.html)_
 | ||
| 
 | ||
| ---
 | ||
| 
 | ||
| Do you know issue that isn't mentioned here? If it's not already reported,
 | ||
| please report it
 | ||
| on [Limnoria's issue tracker.](https://github.com/ProgVal/Limnoria/issues) If
 | ||
| it's known, but just not reported here,
 | ||
| [please feel free to add it.](https://github.com/Mikaela/limnoria/edit/gh-pages/Supybot.markdown)
 |