Bugtraq mailing list archives
Re: Bug in IRC services
From: davids () WEBMASTER COM (David Schwartz)
Date: Fri, 12 Mar 1999 17:49:05 -0800
I think Dalnet and other networks use the same services so if they could be exploitable too.
No.
DALnet's services uses a 'services identifier', which is a unique
identifier assigned to each client when they connect to the IRC network.
Unless DALnet's services can confirm your services identifier, you will not
get any identify-based privileges.
I'd go into more detail as to exactly how this works, but DALnet's services
is proprietary to the DALnet IRC Network, and I'm not allowed to discuss its
security features publically. But suffice it to say that on DALnet, this
should be impossible by explicit design.
I find it hard to believe that any IRC network would fail as you described.
People change nicknames all the time on an IRC network, and it would be
literally moronic to use the nickname in an access check. (No offense
intended to the specific network you mentioned.)
David Schwartz (JoelKatz)
Coding Director
DALnet
<JoelKatz () dal net>
Current thread:
- Bug in IRC services fractalg (Mar 12)
- Re: Bug in IRC services Kevin Day (Mar 12)
- Re: Bug in IRC services David Schwartz (Mar 12)
- <Possible follow-ups>
- Re: Bug in IRC services Taral (Mar 12)
- Re: Bug in IRC services Pedro Ribeiro (Mar 13)
- Bug in IRC services Leal Duarte (Mar 13)
- erps kasper (Mar 13)
- GLPro.exe spam fix Kerb (Mar 14)
- Microsoft's SMTP service broken/stupid Chris Adams (Mar 14)
- Re: Microsoft's SMTP service broken/stupid Alan Brown (Mar 16)
- Re: Bug in IRC services Pedro Ribeiro (Mar 13)
- Re: Bug in IRC services Andy Church (Mar 12)