today, logging in my outlandz.net shell account, I found this in MOTD:
|
|**NOTICE**
|
| "Eggdrop.1.6.15 is a bug trap. it creates new +n users. do NOT upgrade to it."
Its openly exploitable. |
|
|
|7/14/03
anyone knows about it..?
I hope it's a hoax.
tnx for answers
This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
All data has been migrated (including user logins/passwords) to a new phpBB version.
For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.
fanthomatic eggdrop 1.6.15 exploit?
Re: fanthomatic eggdrop 1.6.15 exploit?
FIDe`, can you contact the admins of that shell and ask them to forward any info on that exploit, if there is one, and forward it to guppy privately?FIDe` wrote:today, logging in my outlandz.net shell account, I found this in MOTD:
|
|**NOTICE**
|
| "Eggdrop.1.6.15 is a bug trap. it creates new +n users. do NOT upgrade to it."
Its openly exploitable. |
|
|
|7/14/03
anyone knows about it..?
I hope it's a hoax.
tnx for answers
-
GodOfSuicide
- Master
- Posts: 463
- Joined: Mon Jun 17, 2002 8:00 pm
- Location: Austria
The only thing that comes in my mind about the +n thing is that some (l)users forgot to remove the learn users and/or the open telnets, I mean set them to 0 after they made theyr *first* account, when they are creating the userfile for the first time. Hope this is the *real* problem.. 
Once the game is over, the king and the pawn go back in the same box.
I have had a look at the problem reported, and so far am unable to replicate what has been shown.
So far, I have only generated 15 nickname likes those discribed in the report, so guess I might need to try further (500+ say).
There are however a few things to consider in what tests they conducted.
1: They removed scripts, due didn't restart the bot fully
2: Learn users (as sugested)
You should note to them, if they feel there are bugs, to present further and more clear evidance of what happened. It would help a lot if we knew exactly what nicknames and idents caused it to happen on there systems.
As for password sniffing. This is somthing that would also need to be elaborated further. I can name a few ways to sniff out password in eggdrop, but these are known, and are more a side effect of the debug process.
Scripts again can cause this. I have a bug in my own secure logging system that shows peoples passwords (it's still perfectly secure thank god).
While I am not going to deny outright that these issues do not exist, as there may be perfectly good explanations, they may be bugs they may be somthing else. The fact remains, what they presented was small and has obviously never been seen by the development team, there was also a lack of information (though there may be good grounds for that).
So far, I have only generated 15 nickname likes those discribed in the report, so guess I might need to try further (500+ say).
There are however a few things to consider in what tests they conducted.
1: They removed scripts, due didn't restart the bot fully
2: Learn users (as sugested)
You should note to them, if they feel there are bugs, to present further and more clear evidance of what happened. It would help a lot if we knew exactly what nicknames and idents caused it to happen on there systems.
As for password sniffing. This is somthing that would also need to be elaborated further. I can name a few ways to sniff out password in eggdrop, but these are known, and are more a side effect of the debug process.
Scripts again can cause this. I have a bug in my own secure logging system that shows peoples passwords (it's still perfectly secure thank god).
While I am not going to deny outright that these issues do not exist, as there may be perfectly good explanations, they may be bugs they may be somthing else. The fact remains, what they presented was small and has obviously never been seen by the development team, there was also a lack of information (though there may be good grounds for that).