egghelp/eggheads community

security issue with whois

2003-09-04T03:47:06-04:00

This way if the user that is not in the "allowed" list will get an "What? You need '.help'" reply

Yepp, that will work in the way i can limit what users can use whois, but every chanmaster in every chan need access to whois command to be able to manage its users.

And none of thoose chanmasters is supposed to know what other chnas the bots are on, since most of them are +secret.

If a user is in say 2 chans, when a chanmaster do a whois he can only see the channame of the chan he is master of, so there their code works, almost...

But what doesn't work is that at the end of the line where global flags are chown, there is a field for "LAST", and there it can show chans that the master has no right too see, since he has no flags in that chan.

Statistics: Posted by Guest — Thu Sep 04, 2003 3:47 am

security issue with whois

2003-09-04T02:48:25-04:00

Example:

Code:

set allowed "bla foo bar" bind filt - ".whois *" dcc:allowproc dcc:allow {idx args} {   global allowed   set usernick [idx2hand $idx]  if {[lindex $args 1] == ""} {     set icmd [lindex $args 0]    set args "$icmd "  }  if {[lsearch -exact [string tolower $allowed] [string tolower $usernick]] == -1} {    putdcc $idx "What? You need '.help'"    } else {    return $args  }}

This way if the user that is not in the "allowed" list will get an "What? You need '.help'" reply

Statistics: Posted by caesar — Thu Sep 04, 2003 2:48 am

security issue with whois

2003-09-04T02:19:40-04:00

Well, you can use the bind filt and "change" a bit the .whois

And create my own .whois you mean, that though would require me being good at tcl scriptng, hehe.

Part of the whois code works great and I doubt I would manage to write that, hehe. The part where it hides channel record and channel flags on users for channels that the user (who issued .whois) have no access too... (hope anyone understand that line, hehe)

Which makes it quite weird that the makers of eggdrop let this slip by.

Statistics: Posted by Guest — Thu Sep 04, 2003 2:19 am

security issue with whois

2003-09-04T01:45:15-04:00

Well, you can use the bind filt and "change" a bit the .whois

Statistics: Posted by caesar — Thu Sep 04, 2003 1:45 am

security issue with whois

2003-09-03T23:16:22-04:00

Yeah!! I had the same problem using a tcl with bass seen script. Someone typed !seen and the bot said user was last seen in #hiddenchannel

I was shocked to say the least hehehe.... whois will be the same issue. Wonder how to get around that.... hope there is a solution!

Statistics: Posted by AxS — Wed Sep 03, 2003 11:16 pm

security issue with whois

2003-09-03T16:42:34-04:00

Lets say you have a botnet with a few channels, as standard no new user can get access to bot trough dcc or telnet. For each chan you give a few user that access to add users.

Now to the security issue:
A user with "party-line" access for #chan1 can do a whois on a user say me (botnet owner) and whois will report last seen, in this case #chan3. The security issue is that users in #chan1 should not know that #chan3 exists.

Does anyone have a sollution for this, whats still required is:
1, party-line access to add users
2, of course they need access to .whois to check their own users

Statistics: Posted by Guest — Wed Sep 03, 2003 4:42 pm