View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003736 | unreal | ircd | public | 2008-10-16 10:50 | 2013-01-09 10:33 |
| Reporter | MikeMike | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | no change required | ||
| Product Version | 3.2.7 | ||||
| Summary | 0003736: No local channel checks | ||||
| Description | I was making a module today that created a false user and introduced them to the network and I noticed that they were able to join local channels on remote servers (due to my not having implimented checking of this yet), there seems to be no checking for local channels on the remote server, local channels seem to be enforced by requiring the server the user is on to refuse to join the user. I can see 2 potential problems with this: 1. compromised/malicious servers are able to join supposedly local channels on remote servers that they shouldn't be able to 2. if you were to link a non-unreal server to the network, then local channels would effectively stop working as the use of # names would be valid normal channels you could join (not tested with any specific servers, and i don't know if anyone does link different servers, but if they did...) The impact is limited by the fact that you would still see the remote user joining the channel as normal, however I think this joining of illegal channels should have some response from the remote server receiving the invalid join - either a kick or possibly a squit on the basis that the server is not acting correctly? (i think a kick would be most appropriate though, especially if #2 is the case) | ||||
| Steps To Reproduce | Remove server mask checks from the join command then /join i guess would be simplest | ||||
| Additional Information | While this does require a compromised/malicious server in order for it to matter, I still think it should take some basic steps to prevent it from such servers. | ||||
| 3rd party modules | N/A | ||||
|
|
Uuh... I'm not sure where you're getting that idea from, local channels don't exist at all in Unreal at present. See 0003153 |
|
|
they do, using #name:servermask (as suggested in that discussion, it is already implimented in 3.2.7) in that suggestion someone also mentioned allowing ulined servers to join such channels still, well technically this bug means that services could do that already (without needing a uline) - that's the problem, that's not local although if not many people seem to realise this then that could explain why much of the code is missing any checks for these channels, resulting in this bug! |
|
|
They aregone now. 0003281 |
|
|
*are gone |
|
|
that is regarding 3.3, they are still in 3.2 - however if they are planning on dropping support for them then i guess that means it's unlikely that bugs are going to be fixed in a feature they are removing anyway? local channels are a good feature and we use them, and if they aren't going to be officially supported in unreal then i might look in to seeing if a module can do it (although the issue with & being used for +a as mentioned in 0003153 might make it difficult) |
|
|
no longer required as local channels are dropped |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2008-10-16 10:50 | MikeMike | New Issue | |
| 2008-10-16 10:50 | MikeMike | 3rd party modules | => N/A |
| 2008-10-16 10:59 | w00t | Note Added: 0015409 | |
| 2008-10-16 14:35 | MikeMike | Note Added: 0015410 | |
| 2008-10-16 14:37 | w00t | Note Added: 0015411 | |
| 2008-10-16 14:37 | w00t | Note Added: 0015412 | |
| 2008-10-16 14:44 | MikeMike | Note Added: 0015413 | |
| 2013-01-09 10:33 | syzop | Note Added: 0017325 | |
| 2013-01-09 10:33 | syzop | Status | new => closed |
| 2013-01-09 10:33 | syzop | Assigned To | => syzop |
| 2013-01-09 10:33 | syzop | Resolution | open => no change required |
