6.7 KiB
All activity happens in git repository of Supybot nowadays and it happens seldomly. The latest version, which was released in 2009 is 0.83.4.1 has multiple security issues documented here. This version is available from Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.
Note: Development has moved from SourceForge to GitHub so I won’t refer to the old SF page.
The issues of 0.83.4.1.
1. Anyone can crash it and computer where it’s running on
And this is very easy. Just run the command
!misc last --regexp m/(.*\w){512}/
where ! is the prefix character.
Misc is loaded by default and cannot be unloaded without modifying the config.
2. The previous wasn’t the only way to do this
Everyone can also make the bot count an equation, which brings it and the host computer down.
For example:
!math calc factorial(999999)
This requires Math plugin which comes with Supybot, but isn’t load by default.
3. Anyone can access network services via the bot.
I don’t have example command for this, but it happens by nesting “format cut” and “misc tell”.
What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.
### 4. Web page with special characters in