<official reply from eggheads.org, the current eggdrop development group> On Sun, Feb 09, 2003 at 08:44:50PM +0100, Paul Starzetz wrote: > Hi, Hello. > > there is a serious security problem in the popular eggdrop IRCbot. The > hole allows a regular user with enough 'power' (at least power to add > new bot records) to use any linked instance of the bot on the botnet as > an instant 'proxy'. The following session demonstrates the problem with > an out-of-the-box eggdrop 1.6.10: This is not a bug. When running a program, any program, the owner of the process has the responsibility of making sure that they trust the people they give access. Not only is partyline access required, but they must also have access to either add, or modify bots. In the past many people have used this particular 'feature' for various things, including connecting to other bots that may not be compatible with the eggdrop botnet protocol. I personally have also used this to verify that services are available that I cannot reach directly (ssh, http, ftp, etc). Others have written scripts (in Tcl, the script language available to eggdrop) that interact with various services, including FTP, SMTP, HTTP, and POP3. To conclude, if you see this as a security threat, please feel free to remove the user flags from the people that you do not trust to refrain from abusing it. It is not necessary (nor the default behavior) for a user to have the ability to do this (or even use the .relay command). [snip] > Hope this helps, thanks to Maciek Kroenke for bringing my attention to > this bug, Next time you feel that you've found a 'bug' in eggdrop please refer to the mailing lists at http://www.eggheads.org, or our bugzilla server at http://www.eggheads.org/bugzilla </official reply> > /ih -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 09:04:17 PST