View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001567 | Anope Development (1.9.x series) | Nickserv | public | 2014-01-31 05:12 | 2014-01-31 12:44 |
| Reporter | Techman | Assigned To | Adam | ||
| Priority | high | Severity | tweak | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | Linux | OS | Ubuntu Server | ||
| Summary | 0001567: SASL auth allows you to use a GROUPED nick as your account name | ||||
| Description | Anope 2.0 allows you to authenticate as a grouped nickname in your account. While this by itself isn't much of an issue (I think this does break SASL spec though), the issue here is that you are logged in as your grouped nick, not your account name like you should. This, of course, opens a big door for ban evasion based on account names, as well as breaking bots that would accept logged in WHOIS fields instead of having its own username+password system. | ||||
| Steps To Reproduce | 1) Install InspIRCd 2.0.15 and Anope 2.0-rc3 2) Set it up 3) Register an account & make sure you can authenticate to it via SASL 4) Group a nick into your account 5) Reconnect with your client. MAKE SURE you change the account name for SASL from your account name, to your grouped nick 6) If your passwords match, you will be logged in as your grouped nick 7) As long as you don't /nick to your account name, you can ban evade R: bans (or other account name based bans on other IRCds), as well as break bots that rely on account names. | ||||
| Additional Information | Tested on: InspIRCd 2.0.15 + Anope 2.0-rc3 | ||||
| Tags | No tags attached. | ||||
