Vulnerability Development mailing list archives
Re: BitchX /ignore bug
From: phorlakh () ATRALAKH DARKTECH ORG (Joe User)
Date: Thu, 6 Jul 2000 21:21:11 -0500
Just think of it this way: someone that's got a natural knack for programming hops down to a bookstore and picks up "Learn C in 21 Days" and flips through it for about 10, and has everything down pat. Ok, no problem, except for the fact that the books you pick up register unsafe gets(), scanf(), strcpy(), etc. Then, after a short time of writing small projects this way, they find out about security: checking buffers, making certain that nothing can get out of bounds, etc...they pick up on this information, but too late. They've already learned the unsafe way of doing things, and old habits die hard. This, unfortunately, is what happens oftentimes; I figured it out when I wrote one program and couldn't figure out why a scanf() would overwrite the EIP and cause a segfault. It took me about 4 days to find the info online in an article [I believe it was on SunWorld] that you should never use scanf() at all. Many of the big-shot programmers out there that contribute or even write programs that are now in everyday use have never been to a school to learn to program, they just started by doing. It's shameful that the material they learned from had no notion of secure programming, but unfortunately that's the way it is :(
It's amazing how some code gets written. I'm glad that I was "raised" in a security-conscious environment. I used to take it for granted that coders always check for every possible weak point in their code that they knew of, now I'm not so naive. How often does this happen? I doubt it's laziness, or even ignorance -- some of these issues are pretty obscure. Is it the teachers' fault, can anyone be blamed? More importantly, is there anything (short of Java, or any change in language) that can be done about it? Imagine how little we would know if this were closed source. *Someone* would notice a segmentation violation sometime, fire up a debugger, produce an exploit, and finally an advisory would be written. We wouldn't really know a thing. Who knows how long these things would go unpatched for? On Thu, 06 Jul 2000, Keith Simonsen wrote:Hi, Those are front slashes, but backslashes work: Channel #\xff\xff\xff/bin/sh was created at Thu Jul 6 14:56:29 2000 In the ircd_defs.h file included with efnet ircd source the max channel length is 200 bytes (#define CHANNELLEN 200) hmm I also noticed the ban length is 1024... thats a lot of room, and is passed to the client when joining a channel. I also tried setting bans with %s and other formatting characters, it works... Anyone want to check the BitchX code for how it parses bans when the client joins the channel?-- Shop smart, shop S-Mart! - Ash
Current thread:
- Re: BitchX /ignore bug Stephen J. Friedl (Jul 04)
- Re: BitchX /ignore bug Stephen J. Friedl (Jul 05)
- Re: BitchX /ignore bug Benjamin Karas (Jul 05)
- Re: BitchX /ignore bug Daniel Jacobowitz (Jul 05)
- <Possible follow-ups>
- Re: BitchX /ignore bug Thomas Dullien (Jul 05)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)
- Re: BitchX /ignore bug Keith Simonsen (Jul 06)
- Re: BitchX /ignore bug Steve Mosher (Jul 06)
- Re: BitchX /ignore bug Joe User (Jul 06)
- Re: BitchX /ignore bug Security Mail Acct. (Jul 06)
- wwwboard my help reveal user name and password Julian Linton (Jul 07)
- Re: wwwboard my help reveal user name and password Shelagh Pepper (Jul 07)
- Re: wwwboard my help reveal user name and password Shadowboxer (Jul 07)
- Re: wwwboard my help reveal user name and password Jason Legate (Jul 07)
- Re: wwwboard my help reveal user name and password Simon Hughes (Jul 11)
- Re: BitchX /ignore bug Ron DuFresne (Jul 06)
- About all the default password databases... Mikael Olsson (Jul 07)
- Re: About all the default password databases... Roelof Temmingh (Jul 07)
- Re: About all the default password databases... Jonathan Leto (Jul 07)
- Re: About all the default password databases... Phenoelit (Jul 08)