View Issue Details

IDProjectCategoryView StatusLast Update
0004222unrealircdpublic2013-09-21 08:08
ReporterJobe Assigned Tonenolod 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.2.10.1 
Fixed in Version3.4-alpha1 
Summary0004222: CAP Negotiation can be used to bypass PING cookie
DescriptionSummary says it all really but basically a client can send CAP LS, NICK, USER, CAP END and not have to send PONG <cookie> to connect. Allowing malicious code to bypass the PING cookie IP spoof protection.
Steps To Reproducetelnet <server> 6667
CAP LS
NICK SomeNick
USER User meh meh :Gecos
CAP END
*connected*
TagsNo tags attached.
3rd party modules

Activities

syzop

2013-06-26 20:24

administrator   ~0017719

Fortunately 99% of the people run OS's that have no (known) weak ISN.

Still, this also means HTTP POST protection can be bypassed, oh well.. actually not.. because that's caught by another module ;p.

Still.. should be fixed. nenolod? you added the code, so you probably know where the problem lies.

Btw, I would swear I tested this, because it was so logical that this would happen :p.

wolfwood

2013-08-05 02:13

reporter   ~0017738

Confirmed.

I think it should be fixed out of principle if nothing else, its still a weakness even if it is minor.

My 2ยข :)

nenolod

2013-09-21 08:08

reporter   ~0017767

http://hg.unrealircd.com/hg/unreal/rev/0d8f213feb59

Issue History

Date Modified Username Field Change
2013-06-19 19:23 Jobe New Issue
2013-06-26 20:24 syzop Note Added: 0017719
2013-08-05 02:13 wolfwood Note Added: 0017738
2013-08-15 21:48 syzop Status new => acknowledged
2013-09-21 08:08 nenolod Note Added: 0017767
2013-09-21 08:08 nenolod Status acknowledged => resolved
2013-09-21 08:08 nenolod Fixed in Version => 3.4-alpha1
2013-09-21 08:08 nenolod Resolution open => fixed
2013-09-21 08:08 nenolod Assigned To => nenolod
2014-03-14 01:14 peterkingalexander Issue cloned: 0004283