Bugtraq mailing list archives
Re: Bug in IRC services
From: toasty () HOME DRAGONDATA COM (Kevin Day)
Date: Fri, 12 Mar 1999 19:43:04 -0600
Hello, I've just found a big hole in services provided by IRC networks. The services in question are Chanserv, Nickserv, Memoserv.
Most IRC networks use their own version of services, not even from the same codebase.
So it came the new version of the servers this time with a nice feature ! You didnt need to identify the nick when the servers rejoined from the split ! The first time I saw this I tought about how would the services recognize me as the true nick before the split... I never had the chance to test this theory until some days ago.
Right, you add a hostmask that services are supposed to recognize you by. (i.e. yourident@*.yourisp.com
So one server splitted and I took a nick from one administrator that wasn't
even online ! And for my surprise when the servers rejoined I had full access to administrator privileges ! It just recognized the nick as a valid one and gave me the privileges.
1) No services I know give privileges based on nick alone. You have to be /oper'ed and/or identified by password. 2) I know for a fact DALnet's and NewNet's services don't act this way, to name two.
This type of thing occurs because the server doesn't make any check, only checking if the nick exists in it's database. One solution of this problem would be keeping a database of user/ip before the split and then compare when servers rejoin.
This may have been due to a desync, but I've never seen this before. Without knowing the services on the network you describe, I can't comment further, but this doesn't happen anywhere I know of. Kevin Day Administrator irc.dragondata.com Services coder on NewNet.
Current thread:
- Bug in IRC services fractalg (Mar 12)
- Re: Bug in IRC services Kevin Day (Mar 12)
- Re: Bug in IRC services David Schwartz (Mar 12)
- <Possible follow-ups>
- Re: Bug in IRC services Taral (Mar 12)
- Re: Bug in IRC services Pedro Ribeiro (Mar 13)
- Bug in IRC services Leal Duarte (Mar 13)
- erps kasper (Mar 13)
- GLPro.exe spam fix Kerb (Mar 14)
- Microsoft's SMTP service broken/stupid Chris Adams (Mar 14)
- Re: Microsoft's SMTP service broken/stupid Alan Brown (Mar 16)
- Re: Bug in IRC services Pedro Ribeiro (Mar 13)
- Re: Bug in IRC services Andy Church (Mar 12)