> Hello, > I've just found a big hole in services provided by IRC networks. The > services in question are Chanserv, Nickserv, Memoserv. Most IRC networks use their own version of services, not even from the same codebase. > So it came the new version of the servers this time with a nice feature ! > You didnt need to identify the nick when the servers rejoined from the > split ! The first time I saw this I tought about how would the services > recognize me as the true nick before the split... I never had the chance to > test this theory until some days ago. Right, you add a hostmask that services are supposed to recognize you by. (i.e. yourident@*.yourisp.com > So one server splitted and I took a nick from one administrator that wasn't > even online ! And for my surprise when the servers rejoined I had full > access to administrator privileges ! It just recognized the nick as a valid > one and gave me the privileges. 1) No services I know give privileges based on nick alone. You have to be /oper'ed and/or identified by password. 2) I know for a fact DALnet's and NewNet's services don't act this way, to name two. > This type of thing occurs because the server doesn't make any check, only > checking if the nick exists in it's database. One solution of this problem > would be keeping a database of user/ip before the split and then compare > when servers rejoin. This may have been due to a desync, but I've never seen this before. Without knowing the services on the network you describe, I can't comment further, but this doesn't happen anywhere I know of. Kevin Day Administrator irc.dragondata.com Services coder on NewNet.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:54 PDT