View Issue Details

IDProjectCategoryView StatusLast Update
0001567Anope Development (1.9.x series)Nickservpublic2014-01-31 12:44
ReporterTechman Assigned ToAdam  
Status resolvedResolutionfixed 
PlatformLinuxOSUbuntu Server 
Summary0001567: SASL auth allows you to use a GROUPED nick as your account name
DescriptionAnope 2.0 allows you to authenticate as a grouped nickname in your account. While this by itself isn't much of an issue (I think this does break SASL spec though), the issue here is that you are logged in as your grouped nick, not your account name like you should.

This, of course, opens a big door for ban evasion based on account names, as well as breaking bots that would accept logged in WHOIS fields instead of having its own username+password system.
Steps To Reproduce1) Install InspIRCd 2.0.15 and Anope 2.0-rc3
2) Set it up
3) Register an account & make sure you can authenticate to it via SASL
4) Group a nick into your account
5) Reconnect with your client. MAKE SURE you change the account name for SASL from your account name, to your grouped nick
6) If your passwords match, you will be logged in as your grouped nick
7) As long as you don't /nick to your account name, you can ban evade R: bans (or other account name based bans on other IRCds), as well as break bots that rely on account names.
Additional InformationTested on:
InspIRCd 2.0.15 + Anope 2.0-rc3
TagsNo tags attached.



2014-01-31 12:44

administrator   ~0006586

Fixed in 405b41ec87d5068821ce065f1d3def307184051e

Issue History

Date Modified Username Field Change
2014-01-31 05:12 Techman New Issue
2014-01-31 12:44 Adam Note Added: 0006586
2014-01-31 12:44 Adam Status new => resolved
2014-01-31 12:44 Adam Resolution open => fixed
2014-01-31 12:44 Adam Assigned To => Adam