mikaela.github.io/IRC/Supybot.html

<!DOCTYPE html>
<html>
<head>
<meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mika Suomalainen" /> <meta charset="UTF-8" /> <link rel="canonical" href="http://mkaysi.github.com/IRC/Supybot.html">
<title>
Security issues of Supybot
</title>
<link rel="stylesheet" type="text/css" href="../tyyli.css" />
</head>

<p><em>If you are looking for web interface of my bot (known as Supybot on freenode), click <a href="OtusBot.html">here.</a></em></p>
<h1 id="latest-version-of-supybot-was-released-in-2005">Latest version of Supybot was released in 2005</h1>
<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.</p>
<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>
<h1 id="has-critical-issues">0.83.4.1 has critical issues</h1>
<p>What issues?</p>
<h2 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h2>
<p>And this is very easy. Just run the command</p>
<pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>
<p>where ! is the prefix character.</p>
<p>Misc is loaded by default and cannot be unloaded without modifying the config.</p>
<h2 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h2>
<p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>
<p>For example:</p>
<pre><code>!math calc factorial(999999)</code></pre>
<h2 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h2>
<p>I don't have example command for this, but it happens by nesting &quot;format cut&quot; and &quot;misc tell&quot;.</p>
<p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>
<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>
<p><STRONG>Of course they are.</strong> They have been reported to</p>
<ol class="incremental" style="list-style-type: decimal">
<li><p><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></p></li>
<li><p><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</p></li>
</ol>
<p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>
<ol class="incremental" start="3" style="list-style-type: decimal">
<li>to their IRC channel.</li>
</ol>
<p>Some of them are fixed in git repository, but most people aren't using it.</p>
<h2 id="how-to-avoid-them">How to avoid them?</h2>
<p>You can add anticapability for these commands using &quot;owner defaultcapability&quot;, but that is only a temporary solution. There can also be other issues.</p>
<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>
<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy.</p>
IRC/Supybot: write about isses of Supybot. 2012-09-27 17:19:31 +03:00			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<meta name="description" content="Supybot security issues," /> <meta name="keywords" content="Security,Issues,Supybot,crash,Debian,Ubuntu,IRC" /> <meta name="author" content="Mika Suomalainen" /> <meta charset="UTF-8" /> <link rel="canonical" href="http://mkaysi.github.com/IRC/Supybot.html">`
			`<title>`
			`Security issues of Supybot`
			`</title>`
			`<link rel="stylesheet" type="text/css" href="../tyyli.css" />`
			`</head>`

			`<p><em>If you are looking for web interface of my bot (known as Supybot on freenode), click <a href="OtusBot.html">here.</a></em></p>`
			`<h1 id="latest-version-of-supybot-was-released-in-2005">Latest version of Supybot was released in 2005</h1>`
			`<p>All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.</p>`
			`<p>It's available from <a href="http://supybot.sf.net/">SourceForge</a>, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.</p>`
			`<h1 id="has-critical-issues">0.83.4.1 has critical issues</h1>`
			`<p>What issues?</p>`
			`<h2 id="anyone-can-crash-it-and-computer-where-its-running-on">1. Anyone can crash it and computer where it's running on</h2>`
			`<p>And this is very easy. Just run the command</p>`
			`<pre><code>!misc last --regexp m/(.*\w){512}/</code></pre>`
			`<p>where ! is the prefix character.</p>`
			`<p>Misc is loaded by default and cannot be unloaded without modifying the config.</p>`
			`<h2 id="the-previous-wasnt-the-only-way-to-do-this">2. The previous wasn't the only way to do this</h2>`
			`<p>Everyone can also make the bot count an equation, which brings it and the host computer down.</p>`
			`<p>For example:</p>`
			`<pre><code>!math calc factorial(999999)</code></pre>`
			`<h2 id="anyone-can-access-network-services-via-the-bot.">3. Anyone can access network services via the bot.</h2>`
			`<p>I don't have example command for this, but it happens by nesting "format cut" and "misc tell".</p>`
			`<p>What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.</p>`
			`<h1 id="are-these-issues-publicly-known">Are these issues publicly known?</h1>`
			`<p><STRONG>Of course they are.</strong> They have been reported to</p>`
			`<ol class="incremental" style="list-style-type: decimal">`
			`<li><p><a href="http://ubuntu.com/">Ubuntu</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a></p></li>`
IRC/Supybot: mention Ubuntu IRC bots, which were also taken down with one of these issues some times. 2012-09-27 17:29:07 +03:00			`<li><p><a href="http://debian.org/">Debian</a>, <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214">issue 1</a> and <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215">issue 2</a>.</p></li>`
			`</ol>`
			`<p>The first issue has been also used to take down some of <a href="https://wiki.ubuntu.com/IRC/Bots">Ubuntu IRC bots</a> several times. At least UbotX (I don't remember the number) and meetingology.</p>`
			`<ol class="incremental" start="3" style="list-style-type: decimal">`
			`<li>to their IRC channel.</li>`
IRC/Supybot: write about isses of Supybot. 2012-09-27 17:19:31 +03:00			`</ol>`
			`<p>Some of them are fixed in git repository, but most people aren't using it.</p>`
			`<h2 id="how-to-avoid-them">How to avoid them?</h2>`
			`<p>You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.</p>`
			`<p>There are also two active Supybot forks, known as <a href="https://github.com/ProgVal/Limnoria">Limnoria</a> and <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a>, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.</p>`
			`<p>I recommend <a href="https://github.com/ProgVal/Limnoria">Limnoria</a>, because it seems to be more active (activity of <a href="http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page">Gribble</a> isn't announced anywhere) and it has additional commands, translations and new plugin called <a href="https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader">PluginDownloader</a>, which makes installing of 3rd party plugins easy.</p>`