This is a security release that addresses a directory traversal issue in the help module.
The issue was discovered by Somebotty @ irc.funcom.com and brought to my intention on May 18th.
In the course of the evning the vulnerability was properly identified, tested, and a fix applied and then tested.
While this may sound serious (and all directory traversal bugs are) it is mitigated by two factors.
- It is only possible to access .txt files trough the HELP function
- On Unix systems it is further mitigated by the user input being lowercased. As Unix systems are case sensitive this makes it even harder to exploit.
There are no known ways to exploit this issue due to the mitigating factors, but non the less we are releasing a version with this bug fixed.
Changelog:- Fixed directory traversal security issue in the HELP module.
Thanx to Somebotty @ irc.funcom.com for discovery and notification.
- PHP split into a separate branch to conserve bandwith and make download sizes more manageable.
- The log function have been changed so that if the second parameter is "Security" the event is logged
to security.txt in the log directory and an alert is sendt to guildchat or private group.
New modules:
- Replaced old Items.php with new module by Vhab.
Downloadshttp://files.shadow-realm.org/bebot/BeBot_v0.2.4.tar.gzhttp://files.shadow-realm.org/bebot/BeBot_v0.2.4.zipThe php bundle have been split into its own branch as its only needed by windows users, and it will generally be updated less often than the bot core.
http://files.shadow-realm.org/bebot/BeBot-php_v5.1.4.zip
Total Members: 
Guests: 304
Hidden: 0
Users: 0
