[IRCServices] Bug in mode locked keys in 5.0.6
Craig Edwards
brain at brainbox.winbot.co.uk
Tue Dec 31 23:23:00 PST 2002
So no way to fix this? it's an effective way to steal a channels key if the channel is not regularly used...
how about an option to put a pseudoclient into channels to hold their mode locks?
Right now we're just advising our users avoid keys and stick to +i and access lists as it is much more secure.
>On Friday, Dec 27, 2002, at 18:25 US/Pacific, Craig Edwards wrote:
>
>> We've just discovered a bug in ircservices 5.0.6 where a channel can
>> be joined which has a key modelocked, and not only does it allow the
>> client to enter, it also shows them the key, if the room is empty.
>> In the following test, the channel is registered with the mode lock
>> "+ntk mykey", and is empty. Guest2088478498 is not on any access
>> lists for the channel.
>>
>> *** services.chatspike.net changes topic to '(ChanServ)'
>> *** ChanServ sets mode: +ntrk-o mykey Guest2088478498
>
>> A little discussion led us to think that a good fix for this would
>> be to treat keyed channels in the same way as +O channels, unless
>> the correct key is supplied in the JOIN raw, if +k is mode locked,
>> kick out the user before the locked modes and topic are set by
>> chanserv/services.*
>
>The key in the join command is not passed to other servers, so
>services would never receive it.
>
>-- Quension
>
>------------------------------------------------------------------
>To unsubscribe or change your subscription options, visit:
>http://www.ircservices.za.net/mailman/listinfo/ircservices