Python

Supybot + Security

Christy

1 min read

To be fair, the latest supybot release (0.83.4.1) is from 2005 …

Since that release everything (as little as that is) happens in a git repository at SourceForge.

A list of what's wrong:

Anyone can crash Supybot:

Just do something like this:

!misc last --regexp m/(.*\w){500}/

You can't unload misc without editing the config.

or

!math calc factorial(9999999)

(you may unload that one though).

I heard these are also supposed to bring the host the bot is running on down. I haven't noticed something like that though.

Anyone can access network services via Supybot

Through nesting format cut and misc tell this should be possible (I haven't found a way yet).

Thus, if your supybot has Operator privileges anyone can abuse these.

Furthermore anyone can change the password of the user the bot is on.

Alternative

There is a fork of Supybot called Limnoria where these issues are fixed.

You don't have to worry about compatibility, as a supybot config is compatible with a Limnoria config.