supybot !web title leaks LAN HTTP servers to the channel

you can add a non-snarfing regex to the title snarfer in supybot, although not ideal, it offers a level of protection for a user. That plugin is in some ways dangerous by default as it automatically connects to any arbitary url that appears in a chan.

Hi bascule, thanks for pointing out the regex but it's hard or
impossible to concoct one that stops LAN access. Blocking numeric IP
addresses isn't sufficient. I argee this plugin is dangerous by default
and yet nowhere in the documentation, or during selection of this
plugin, does it warn the user to consider whether their network set-up
would be vulnerable. I think that's a bug that needs addressing.

Chatting on the supybot channel, I was told it should be obvious to
anyone that this can happen and that's what network DMZs exist for.
Well, it wasn't obvious to me since there's a lot of plugins and
considering the security implementations of each of them would take
hours.

How is this plugin dangerous by default? You can easily prevent everyone from using web.title by running "defaultcapability remove web.title". Also, the titlesnarfing isn't enabled by default.

Mika, I think I explained adequately above. There is no warning in the documentation for the plugin that enabling it opens up the LAN to interrogation in a way that may not be obvious to the administrator that's having a browse of the plugins and enabling a few here and there.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

09.05.2012 15:17, Ralph Corderoy kirjoitti:
> Mika, I think I explained adequately above. There is no warning in
> the documentation for the plugin that enabling it opens up the LAN
> to interrogation in a way that may not be obvious to the
> administrator that's having a browse of the plugins and enabling a
> few here and there.
>

There isn't warning about "Unix progstats" command giving out PID,
username, GID, configuration location, supybot binary location, config
location and Python version when Unix plugin is loaded outside
supybot-wizard.

Example output from Unix progstats:
> Process ID 30171 running as user "<censored>" and as group
"<censored>" from
> directory "/<censored>/<censored>/<censored>/<censored>" with the
> command line "/<censored>/<censored>/<censored>/supybot --daemon
/<censored>/<censored>/<censored>
> /<censored>/<censored>.conf". Running on Python <censored>
> (<censored>, <censored>, <censored>) [GCC <censored>].

I doubt that that bug, if you call it as bug, gets fixed in upstream,
because it's dead. You might have better luck moving to some fork
reporting it at their issue tracker.

Supybot has currently two bugs, which can cause the bot to crash with
computer, which it's running on.
https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996947 and
https://bugs.launchpad.net/ubuntu/+source/supybot/+bug/996950 .

- --
[Mika Suomalainen](https://mkaysi.github.com/) ||
[gpg --keyserver pool.sks-keyservers.net --recv-keys
4DB53CFE82A46728](http://mkaysi.github.com/PGP/key.txt) ||
[Why do I sign my
emails?](http://mkaysi.github.com/PGP/WhyDoISignEmails.html) ||
[Please don't send
HTML.](http://mkaysi.github.com/articles/complaining/HTML.html) ||
[Please don't
toppost](http://mkaysi.github.com/articles/complaining/topposting.html) ||

[This signature](https://gist.github.com/2643070) ||
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPqmpwAAoJEE21PP6CpGco5IgP/iPJHWMSme2kCNF+o22J6uSP
OYa0Oct9TJD98z15duL1dXHB+D3uFx0nbB9pTR4G8ylbF1gDGs3o+88BsqgBkQZd
We+BA4F86BSPm9kQI5BLYR/s4+Bp978FbpxAZMZNh05qN8ufO9CjfhnnCUQqo8fH
jiNCO2J68Ba3vgC3Vgj6Rzd9xli9M2hrQPkV1wCYG3eCGgAvDvtI9mnxL8fq5tYp
G/v38R0qRtMODE5f6q8FKl5UbcHgUy0holaEL1zqAJh3u0GS2BA5UWHMh9eJZLoK
dlCHrM5YRjd9EqKg/F1s2gdNZDvvCGMpRPDr0o+M9nU534MaEMaNrdyQcXlXXqVF
x5SU1kiTlqqb0dr9HBz8mKloR2VSIsb7BG8oqycDcIB9EehiSm5eprB28h0oHeHa
airireZupmF/CzvDAxdhiWd+uoP1Wgh2+lfxxHnNaRX2U7qDAsARRNbUh845lDww
MaBX2dmJXw/INe8HoRtZDWDScNbh6WdvPD8gjmyeJs7PloDiiYNFao0LpeB66a++
0Ko1u1A55wMk28kvXGHtlKAMWcwe1puAKJnFLXB0ZjcGH6JDo5K7Ts3URZblVS6c
QguXhqsIkOMRbIwepHdtduzaddD8MhPA/BtzfOzt6xlMtYOrwlLHdOXEyvu8e9K3
X8G+2pM5NDr9v+Khc+UN
=y9v5
-----END PGP SIGNATURE-----

> There isn't warning about "Unix progstats" command giving out PID,
> username, ...

It doesn't need one. It sounds more likely that it would give out that
kind of thing from its name. That a plugin typically used to print the
<title> of public web pages can be used to poke about the LAN isn't so
obvious IMHO.

I don't see in what it would be hard to guess it. Bot admins should know the difference between a website accessible from the Internet and a website accessible from a local net: nothing.

More over, I don't think knowing the title of a page is that dangerous.
The only risk is if there is some kind of web application that allows to run actions based on GET parameters, which is a known _very bad_ design pattern, also known as. CSRF (which means something like Cross Site Request Forgering).

Ralph Corderoy <email address hidden> wrote:

>> There isn't warning about "Unix progstats" command giving out PID,
>> username, ...
>
>It doesn't need one. It sounds more likely that it would give out that
>kind of thing from its name. That a plugin typically used to print the
><title> of public web pages can be used to poke about the LAN isn't so
>obvious IMHO.

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.