possible LAN data leak.

[Red-M]

if any of you has made a plugin/factoid that allows users to input a http:// link or an IP/DNS hostname make sure you check what addresses they're actually sending packets to if you're sending packets directly from the bot and not an external service (eg. google). if you are not it is possible for an attacker to port scan your LAN via the bot using the plugin/factoid.

eg.

• connection refused will mean i know a host is at that IP and has the port closed.
• connection timed will mean i know there isnt a host at that internal IP.
• a page title of None will mean i found a service on that port.

i recommend that a censor for the /plugins/util/http.py plugin to disallow these netmasked addresses:

192.168.0.0/16 172.16.0.0/16 to 172.31.0.0/16 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16

as any of these IP addresses are LAN addresses and dont map to the internet, they shouldnt be queried at all as they can leak LAN information on to the internet.

this will not affect you if you dont have a LAN connection on the running host of the bot. (eg. a VPS or similar that only has a direct internet connection and cannot in anyway contact these addresses).

[rmmh]

Knowing what IP addresses are active on an internal network is generally not interesting.

Being able to do HTTP requests, perhaps getting titles and page content, might be an issue.

Actually filtering out those IPs would be annoying-- there's many ways to represent each.

The skybot master branch doesn't have any plugins that do any requests to arbitrary addresses. I recommend against it in general.