Supybot is dearly outdated
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| supybot (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
1. Supybot hasn't received any updates since 2005
2. There are many security issues with it:
a.Anyone can crash it and computer where it's running on, just run the command "!misc last --regexp m/(.*\w){512}/"
Where "!" is the command char.
b. Another way to crash it and computer where it's running on, just run the command "!math calc factorial(999999)"
Where "!" is the command char.
c. Anyone can access network services via the bot. I don't have example command for this, but it happens by nesting "format cut" and "misc tell".
d.Web page with special characters in title can be used to send DCC/CTCP commands. This doesn't mean only things like CTCP actions (also known as /me), but known problems with old routers ( FF ? DCC SEND “ff???f?
Usage:
!web title <malicious.
!web fetch <malicious.
NOTICE: WEB FETCH IS DISABLED BY DEFAULT
3. Choose one of it's forks like Limnoria instead of Supybot.
| information type: | Private Security → Public Security |
| description: | updated |
| description: | updated |
| Valentin Lorentz (progval) wrote | #1 |
| Changed in supybot (Ubuntu): | |
| status: | New → Confirmed |
d. Anyone can crash the bot and the computer it is running on by using !web title with an URL to a HTTP server serving an infinite amount of headers.