[srvx-bugs] [ srvx-Bugs-1018708 ] Possible security bug with /msg chanserv say

[SourceForge.net <no...@so...>]

Bugs item #1018708, was opened at 2004-08-29 20:42
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=403001&aid=1018708&group_id=31654

Category: ChanServ
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: foxhunter1 (foxhunter1)
Assigned to: Zoot (zoot)
Summary: Possible security bug with /msg chanserv say

Initial Comment:
Reasons for problem:

1. All users can use the "/msg chanserv say #channel 
blah" command which will send a message to a channel 
as if it were said by chanserv.
2. Chanserv cannot be kicked as it is a network service.
3. There is no way to enforce restrictions on who can 
send the say command to chanserv (i.e. there is no way 
to limit access to say command to level 200, 300, 400, 
500 through "/msg chanserv set" as there is for enfops.  
all users can always use the say command.)

Therefore causes this problem:

Results in possibility that a user could flood a channel 
via proxy of chanserv by sending repeated "/msg 
chanserv say #channel blah" messages. As chanserv will 
never be kicked for flooding (you can't kick a network 
service) the flood will continue.

Current solution:

Only current solution I'm aware of is for either a 300-
500 ranked user or an ircop to use Xevents to see who 
is sending the say command to chanserv. If no 300-500 
users are present, flood could occur and people wouldn't 
know who was sending the messages to chanserv.

Suggested solution:

Create a command to enforce restrictions on who can 
access the say command.  (i.e. level 100 and above, for 
example).

--
foxhunter

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=403001&aid=1018708&group_id=31654