[ircd-ratbox] ratbox-services sql injection when using email

Lee H lee at leeh.co.uk
Sat Jun 28 09:19:49 UTC 2008


Hey,

ongeboren recently gave me a fix for a sql injection issue within all 1.1.x
and 1.2.x versions of ratbox-services.  This issue can only be triggered
when the email functionality of ratbox-services is being used.

If you are using the email functionality, you should disable this until you
can upgrade, by altering the values within the email {}; block in
ratbox-services.conf.

I have done a security release of the deprecated 1.1.x branch, for those who
haven't yet upgraded to 1.2.x, along with a new 1.2.x release:

http://services.ircd-ratbox.org/download/ratbox-services-1.2.1.tgz
http://services.ircd-ratbox.org/download/old/ratbox-services-1.1.3.tgz


An audit seems to indicate no other potential issues, though I will look
into some additional checks to make these more difficult to abuse in 1.3.

Cheers,

-- 
-                 Lee H // anfl
-        I code, therefore I break things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.ratbox.org/pipermail/ircd-ratbox/attachments/20080628/6f7cb9a8/attachment.pgp 


More information about the ircd-ratbox mailing list