View Issue Details

IDProjectCategoryView StatusLast Update
0005098unrealircdpublic2018-06-11 08:55
ReporterjesopoAssigned Tosyzop 
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version4.0.18 
Summary0005098: WEBIRC users bypass blacklist checks
DescriptionIt seems that users connecting through a webirc using the WEBIRC protocol are either not checked against blacklists or the blacklist is done before the IP spoofing is done
TagsNo tags attached.
3rd party modules

Activities

jesopo

2018-06-03 17:37

reporter   ~0020135

Just a note for anyone else effected by this - putting the blacklist on anope (and I assume Atheme) will correctly catch these users.

The_Myth

2018-06-10 18:10

reporter   ~0020138

I can confirm the issue. I've tried myself on my mobile phone connecting directly and via browser (web chat, with Orbot).

This is what happened:
https://pastebin.com/VVKCNSnK

syzop

2018-06-11 08:39

administrator   ~0020142

This is the endless debate of where security checks should be done... at the perimeter or not. I'm therefore considering this a feature enhancement, not a bug.

syzop

2018-06-11 08:55

administrator   ~0020143

Thanks for the report. Tested with an IP from dronebl and seems to work.

commit 93957fc7eeb607183459548429f5ee26bc96d3e6
Author: Bram Matthys <syzop@vulnscan.org>
Date: Mon Jun 11 08:53:34 2018 +0200

    blacklist module: also check the ip of WEBIRC users.
    Suggested by jesopo (0005098).

Issue History

Date Modified Username Field Change
2018-05-29 14:06 jesopo New Issue
2018-06-03 17:37 jesopo Note Added: 0020135
2018-06-10 18:10 The_Myth Note Added: 0020138
2018-06-11 08:39 syzop Note Added: 0020142
2018-06-11 08:39 syzop Severity major => feature
2018-06-11 08:39 syzop Status new => acknowledged
2018-06-11 08:55 syzop Assigned To => syzop
2018-06-11 08:55 syzop Status acknowledged => resolved
2018-06-11 08:55 syzop Resolution open => fixed
2018-06-11 08:55 syzop Fixed in Version => 4.0.18
2018-06-11 08:55 syzop Note Added: 0020143