search

nodejitsu / kohai

I am kohai. I am a pluggable irc bot for managing real-time data events.
91 stars 17 forks source link

Exploit with Newlines #43

Closed slickplaid closed 13 years ago

slickplaid commented 13 years ago

You can exploit the bot into running any command you want to by inserting a new line (say on twitter.com, \n does not work).

A tweet like this will cause the bot to quit: "This is a tweet: quit this is where my quit message will go"

A tweet like this will give ops to any user: "node.js is cool mode #kohai +o slicky"

Hopefully the linebreaks show up properly.

I'd recommend you remove chanserv access and/or deop any bots if they're running with any sort of privledges on your IRC server until this is patched. :)

AvianFlu commented 13 years ago

Whoa, thanks man. On it.

AvianFlu commented 13 years ago

Pull request pulled. Closing issue.