linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1030613] Re: Normal users can issue CMDs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: iceman50 <1030613@xxxxxxxxxxxxxxxxxx>
Date: Sun, 29 Jul 2012 22:17:03 -0000
Reply-to: Bug 1030613 <1030613@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Added DC++ to the report since DC++ doesn't overwrite the command but
keeps adding it

** Also affects: dcplusplus
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1030613

Title:
  Normal users can issue CMDs

Status in ADCH++:
  Fix Committed
Status in DC++:
  New

Bug description:
  Any client may send a CMD (only B-type tested) to the hub,
  distributing it to any user. If done in a bot, you can effectively
  send tens or hundreds of these, and a receiving client will be forced
  to manage them, thus potentially causing a DoS scenario.

  Generate the following user command in DC++ to test yourself;
  Command type: Raw
  Context: Hub menu
  Name: RogueCommand
  Command: BCMD %[mySID] Security\stest,\sbe\safraid TTHINF\sNIfoobar\n CT2
  Hub address: adc://

  (Above command should obviously be followed by a new line.)

  The hub should ignore any CMD originating from a user. Potentially
  allow CMDs from trusted users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/adchpp/+bug/1030613/+subscriptions

References

[Bug 1030613] [NEW] Normal users can issue CMDs
From: Fredrik Ullner, 2012-07-29