View Issue Details

IDProjectCategoryView StatusLast Update
0004283unrealircdpublic2014-03-14 01:14
ReporterpeterkingalexanderAssigned Tonenolod 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.2.10.1 
Target VersionFixed in Version3.4-alpha1 
Summary0004283: CAP Negotiation can be used to bypass PING cookie
DescriptionSummary says it all really but basically a client can send CAP LS, NICK, USER, CAP END and not have to send PONG <cookie> to connect. Allowing malicious code to bypass the PING cookie IP spoof protection.
Steps To Reproducetelnet <server> 6667
CAP LS
NICK SomeNick
USER User meh meh :Gecos
CAP END
*connected*
TagsNo tags attached.
3rd party modules

Activities

syzop

2013-06-26 20:24

administrator   ~0018008

Fortunately 99% of the people run OS's that have no (known) weak ISN.

Still, this also means HTTP POST protection can be bypassed, oh well.. actually not.. because that's caught by another module ;p.

Still.. should be fixed. nenolod? you added the code, so you probably know where the problem lies.

Btw, I would swear I tested this, because it was so logical that this would happen :p.

wolfwood

2013-08-05 02:13

reporter   ~0018009

Confirmed.

I think it should be fixed out of principle if nothing else, its still a weakness even if it is minor.

My 2ยข :)

nenolod

2013-09-21 08:08

reporter   ~0018010

http://hg.unrealircd.com/hg/unreal/rev/0d8f213feb59

Issue History

Date Modified Username Field Change
2014-03-14 01:14 peterkingalexander New Issue
2014-03-14 01:14 peterkingalexander Issue generated from: 0004222