collapse collapse
* User Info
 
 
Welcome, Guest. Please login or register.
* Search

* Board Stats
  • stats Total Members: 989
  • stats Total Posts: 18363
  • stats Total Topics: 2500
  • stats Total Categories: 7
  • stats Total Boards: 35
  • stats Most Online: 1144

Author Topic: BeBot v0.2.4 released (Security) (Update May21st)  (Read 2692 times)

0 Members and 1 Guest are viewing this topic.

Offline Khalem

  • BeBot Founder
  • Administrator
  • ********
  • Posts: 1169
  • Karma: +0/-0
    • http://www.ancarim.com
BeBot v0.2.4 released (Security) (Update May21st)
« on: May 18, 2006, 09:51:39 pm »
This is a security release that addresses a directory traversal issue in the help module.
The issue was discovered by Somebotty @ irc.funcom.com and brought to my intention on May 18th.
In the course of the evning the vulnerability was properly identified, tested, and a fix applied and then tested.
While this may sound serious (and all directory traversal bugs are) it is mitigated by two factors.
- It is only possible to access .txt files trough the HELP function
- On Unix systems it is further mitigated by the user input being lowercased. As Unix systems are case sensitive this makes it even harder to exploit.
There are no known ways to exploit this issue due to the mitigating factors, but non the less we are releasing a version with this bug fixed.

Changelog:
- Fixed directory traversal security issue in the HELP module.
  Thanx to Somebotty @ irc.funcom.com for discovery and notification.
- PHP split into a separate branch to conserve bandwith and make download sizes more manageable.
- The log function have been changed so that if the second parameter is "Security" the event is logged
  to security.txt in the log directory and an alert is sendt to guildchat or private group.

New modules:
- Replaced old Items.php with new module by Vhab.

Downloads
http://files.shadow-realm.org/bebot/BeBot_v0.2.4.tar.gz
http://files.shadow-realm.org/bebot/BeBot_v0.2.4.zip

The php bundle have been split into its own branch as its only needed by windows users, and it will generally be updated less often than the bot core.
http://files.shadow-realm.org/bebot/BeBot-php_v5.1.4.zip
« Last Edit: May 21, 2006, 05:08:41 am by Khalem »
BeBot Founder and Fixer Kingpin

Offline Khalem

  • BeBot Founder
  • Administrator
  • ********
  • Posts: 1169
  • Karma: +0/-0
    • http://www.ancarim.com
Re: BeBot v0.2.4 released (Security) (Update May21st)
« Reply #1 on: May 21, 2006, 05:10:59 am »
Please note that if you downloaded 0.2.4 before 3am UTC on May 21st you will need to redownload the archive or replace core/BotHelp.php due to a typo that made it into this file which would cause the bot to give a fatal error on startup.

http://svn.shadow-realm.org/index.py/BeBot/branches/0.2/core/BotHelp.php?revision=102
BeBot Founder and Fixer Kingpin

 

* Recent Posts
[AoC] special char for items module by bitnykk
[February 09, 2024, 09:41:18 pm]


0.8.x updates for AoC by bitnykk
[January 30, 2024, 11:16:08 pm]


0.8.x updates for AO by bitnykk
[January 30, 2024, 11:15:37 pm]


BeBot still alive & kicking ! by bitnykk
[December 17, 2023, 12:58:44 am]


Bebot and Rasberry by bitnykk
[November 29, 2023, 11:04:14 pm]

* Who's Online
  • Dot Guests: 568
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.
* Forum Staff
bitnykk admin bitnykk
Administrator
Khalem admin Khalem
Administrator
WeZoN gmod WeZoN
Global Moderator
SimplePortal 2.3.7 © 2008-2024, SimplePortal