View Issue Details

IDProjectCategoryView StatusLast Update
0001617Anope Stable (2.0.x series)Generalpublic2014-10-09 23:46
Reporteralefburzmali Assigned ToRobby  
Status resolvedResolutionfixed 
Summary0001617: Default DEFCON settings do not require any permission
DescriptionIn operserv.example.conf, the operserv/defcon command is the only command definition to not require a corresponding permission to be executed. If the command is enabled without paying careful attention, anyone who can access OperServ can use the defcon command.

The default configuration should set a "operserv/defcon" permission like every other OperServ commands.
Additional InformationThe command is disabled by default, so it must be enabled to be abused. Moreover, the "opersonly = yes" default setting restrict its access to opers only.

However, anyone with an o:line and a registered nick can execute defcon, even if he is not a services oper. If opersonly is set to "no", any registered user can access it.
TagsNo tags attached.



2014-10-09 23:40

manager   ~0006659

Thanks for reporting. Fixed in commit 0991d4e1998c5a87c8deb3f9460685eed0212160.

Issue History

Date Modified Username Field Change
2014-10-09 16:17 alefburzmali New Issue
2014-10-09 23:40 Robby Note Added: 0006659
2014-10-09 23:46 Robby Status new => resolved
2014-10-09 23:46 Robby Resolution open => fixed
2014-10-09 23:46 Robby Assigned To => Robby