[ircd-ratbox] ratbox-services sql injection when using email

Lee H lee at leeh.co.uk
Sat Jun 28 09:19:49 UTC 2008


ongeboren recently gave me a fix for a sql injection issue within all 1.1.x
and 1.2.x versions of ratbox-services.  This issue can only be triggered
when the email functionality of ratbox-services is being used.

If you are using the email functionality, you should disable this until you
can upgrade, by altering the values within the email {}; block in

I have done a security release of the deprecated 1.1.x branch, for those who
haven't yet upgraded to 1.2.x, along with a new 1.2.x release:


An audit seems to indicate no other potential issues, though I will look
into some additional checks to make these more difficult to abuse in 1.3.


-                 Lee H // anfl
-        I code, therefore I break things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.ratbox.org/pipermail/ircd-ratbox/attachments/20080628/6f7cb9a8/attachment.pgp 

More information about the ircd-ratbox mailing list