Bugtraq will not let me sign up for an account, it gives php errors, and i have a bug to report.
I wont describe it in detail here, because I don't think i am supposed to, but there is a way for a normal user, (non-oper), to see the nicks of all people and/or bots on a channel that is set +u. I assumed that this is a pretty bad bug, as one of the main reasons of a +u channel is to hide the nicks of clients. Please, some1 on the devel team, respond to this with a pm or some login info for bugtraq so I may show somebody the specifics.
Thanx in advance,
nkarki7
Bugtracker not working and Security issue with 3.2.....
-
codemastr
- Former UnrealIRCd head coder
- Posts: 811
- Joined: Sat Mar 06, 2004 8:47 pm
- Location: United States
- Contact:
[email protected] is the list that only the coders receive. So that would be the best place to send any info. However, from what you described, I wouldn't really term this a security bug. The main reason of +u is to prevent side-conversations, not really to hide the user's identities. In theory, you could learn everyone in the channel simply by staying there long enough until everyone has said something.
-- codemastr
Forgot to mention
Also, this will work on channels that are +m, so even if the users cannot speak you can find out who they are.
Well, I sorta feel stupid now, but if ne1 still wants the info just lemme know.........
Well, I sorta feel stupid now, but if ne1 still wants the info just lemme know.........
As mentioned, +u's purpose is not to hide everyone for security reasons or whatever.
Rather, it doesn't show join/parts to normal users (and thus also not quits, nickchanges, bla..).
It's made for celebrity chat alike things or other semi-one-way chats (like I've a news channel which is +mu where a bot posts news).. it's more like not to show useless join/parts.
I mean, if you for example /whois someone you'll simply see that (s)he's in the chan :).
Rather, it doesn't show join/parts to normal users (and thus also not quits, nickchanges, bla..).
It's made for celebrity chat alike things or other semi-one-way chats (like I've a news channel which is +mu where a bot posts news).. it's more like not to show useless join/parts.
I mean, if you for example /whois someone you'll simply see that (s)he's in the chan :).
Ah you ment the bugracker? http://bugs.unrealircd.org/ ?
If you tried to register with 'nkarki7', then that account already exists.. Try another username. (lost pass? ;p)
If you tried to register with 'nkarki7', then that account already exists.. Try another username. (lost pass? ;p)
Yup, bugtraq
Yeah, i tried to sign up with that name, and when i clicked ok on the form, it spat out php errors at me, so i never got a conformation email.....
see below...
This is the result of me entering a desired name and an email addy:
--------------------------------------
UnrealIRCd Bug Tracker
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/gpc_api.php on line 220
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 37
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 39
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 44
see below...
This is the result of me entering a desired name and an email addy:
--------------------------------------
UnrealIRCd Bug Tracker
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/gpc_api.php on line 220
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 37
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 39
Warning: Cannot modify header information - headers already sent by (output started at /home/bugs/public_html/core/html_api.php:139) in /home/bugs/public_html/core/print_api.php on line 44
Like I said.. try another username :).
I've already notified the mantis team a few months ago about this, so I presume it will be fixed in a next version.
During previous upgrade I manually patched it, but not this time.
[sorry aquanight but your post was really offtopic and it didn't make sence to tell it to either of us ;p]
I've already notified the mantis team a few months ago about this, so I presume it will be fixed in a next version.
During previous upgrade I manually patched it, but not this time.
[sorry aquanight but your post was really offtopic and it didn't make sence to tell it to either of us ;p]
