From c26b9613382fe4c93842e625cc5e60decc59698f Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Thu, 27 Sep 2012 17:19:31 +0300 Subject: [PATCH] IRC/Supybot: write about isses of Supybot. --- IRC/Supybot.html | 40 +++++++++++++++++++++ IRC/Supybot.html.md | 87 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 IRC/Supybot.html create mode 100644 IRC/Supybot.html.md diff --git a/IRC/Supybot.html b/IRC/Supybot.html new file mode 100644 index 0000000..2020ccd --- /dev/null +++ b/IRC/Supybot.html @@ -0,0 +1,40 @@ + + + + + +Security issues of Supybot + + + + +

If you are looking for web interface of my bot (known as Supybot on freenode), click here.

+

Latest version of Supybot was released in 2005

+

All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1.

+

It's available from SourceForge, Debian repositories, Ubuntu repositories and repositories of many other Linux distributions.

+

0.83.4.1 has critical issues

+

What issues?

+

1. Anyone can crash it and computer where it's running on

+

And this is very easy. Just run the command

+
!misc last --regexp m/(.*\w){512}/
+

where ! is the prefix character.

+

Misc is loaded by default and cannot be unloaded without modifying the config.

+

2. The previous wasn't the only way to do this

+

Everyone can also make the bot count an equation, which brings it and the host computer down.

+

For example:

+
!math calc factorial(999999)
+

3. Anyone can access network services via the bot.

+

I don't have example command for this, but it happens by nesting "format cut" and "misc tell".

+

What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services.

+

Are these issues publicly known?

+

Of course they are. They have been reported to

+
    +

  1. Ubuntu, issue 1 and issue 2

    2. +

  2. Debian, issue 1 and issue 2

    3. +

  3. to their IRC channel.

    4. +
+

Some of them are fixed in git repository, but most people aren't using it.

+

How to avoid them?

+

You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues.

+

There are also two active Supybot forks, known as Limnoria and Gribble, which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them.

+

I recommend Limnoria, because it seems to be more active (activity of Gribble isn't announced anywhere) and it has additional commands, translations and new plugin called PluginDownloader, which makes installing of 3rd party plugins easy.

diff --git a/IRC/Supybot.html.md b/IRC/Supybot.html.md new file mode 100644 index 0000000..7a66bd3 --- /dev/null +++ b/IRC/Supybot.html.md @@ -0,0 +1,87 @@ + + + + + + + + +Security issues of Supybot + + + +If you are looking for web interface of my bot (known as Supybot on freenode), click [here.] + +[here.]:OtusBot.html + +# Latest version of Supybot was released in 2005 + +All activity happens in git repository of Supybot nowadays and it happens seldomly. The version, which was released in 2005 is 0.83.4.1. + +It's available from [SourceForge], Debian repositories, Ubuntu repositories and repositories of many other Linux distributions. + +[SourceForge]:http://supybot.sf.net/ + +# 0.83.4.1 has critical issues + +What issues? + +## 1. Anyone can crash it and computer where it's running on + +And this is very easy. Just run the command + +``` +!misc last --regexp m/(.*\w){512}/ +``` + +where ! is the prefix character. + +Misc is loaded by default and cannot be unloaded without modifying the config. + +## 2. The previous wasn't the only way to do this + +Everyone can also make the bot count an equation, which brings it and the host computer down. + +For example: + +``` +!math calc factorial(999999) +``` + +## 3. Anyone can access network services via the bot. + +I don't have example command for this, but it happens by nesting "format cut" and "misc tell". + +What does this mean? Anyone can tell the bot to ghost someone else on same account, take over a channel by telling the bot to give flags (if it has correct flags), change password of the account and everything else what you do with network services. + +# Are these issues publicly known? + +Of course they are. They have been reported to + +1. [Ubuntu], [issue 1] and [issue 2] + +[Ubuntu]:http://ubuntu.com/ +[issue 1]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947 +[issue 2]:https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950 + +2. [Debian], [issue 1] and [issue 2] + +[Debian]:http://debian.org/ +[issue 1]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672214 +[issue 2]:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672215 + +3. to their IRC channel. + +Some of them are fixed in git repository, but most people aren't using it. + +## How to avoid them? + +You can add anticapability for these commands using "owner defaultcapability", but that is only a temporary solution. There can also be other issues. + +There are also two active Supybot forks, known as [Limnoria] and [Gribble], which are actively developed and have fixed these issues. If you want permanent solution, you should install either of them. + +I recommend [Limnoria], because it seems to be more active (activity of [Gribble] isn't announced anywhere) and it has additional commands, translations and new plugin called [PluginDownloader], which makes installing of 3rd party plugins easy. + +[Limnoria]:https://github.com/ProgVal/Limnoria +[Gribble]:http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Main_Page +[PluginDownloader]:https://github.com/ProgVal/Limnoria/tree/master/plugins/PluginDownloader