BeBot - An Anarchy Online and Age Of Conan chat automaton
General => News => Topic started by: Khalem on May 18, 2006, 09:51:39 pm
-
This is a security release that addresses a directory traversal issue in the help module.
The issue was discovered by Somebotty @ irc.funcom.com and brought to my intention on May 18th.
In the course of the evning the vulnerability was properly identified, tested, and a fix applied and then tested.
While this may sound serious (and all directory traversal bugs are) it is mitigated by two factors.
- It is only possible to access .txt files trough the HELP function
- On Unix systems it is further mitigated by the user input being lowercased. As Unix systems are case sensitive this makes it even harder to exploit.
There are no known ways to exploit this issue due to the mitigating factors, but non the less we are releasing a version with this bug fixed.
Changelog:
- Fixed directory traversal security issue in the HELP module.
Thanx to Somebotty @ irc.funcom.com for discovery and notification.
- PHP split into a separate branch to conserve bandwith and make download sizes more manageable.
- The log function have been changed so that if the second parameter is "Security" the event is logged
to security.txt in the log directory and an alert is sendt to guildchat or private group.
New modules:
- Replaced old Items.php with new module by Vhab.
Downloads
http://files.shadow-realm.org/bebot/BeBot_v0.2.4.tar.gz
http://files.shadow-realm.org/bebot/BeBot_v0.2.4.zip
The php bundle have been split into its own branch as its only needed by windows users, and it will generally be updated less often than the bot core.
http://files.shadow-realm.org/bebot/BeBot-php_v5.1.4.zip
-
Please note that if you downloaded 0.2.4 before 3am UTC on May 21st you will need to redownload the archive or replace core/BotHelp.php due to a typo that made it into this file which would cause the bot to give a fatal error on startup.
http://svn.shadow-realm.org/index.py/BeBot/branches/0.2/core/BotHelp.php?revision=102