linuxdcpp-team team mailing list archive

Thread
Date

[Bug 1030613] Re: Normal users can issue CMDs

To: linuxdcpp-team@xxxxxxxxxxxxxxxxxxx
From: Fredrik Ullner <ullner@xxxxxxxxx>
Date: Sun, 11 Aug 2013 00:11:27 -0000
Reply-to: Bug 1030613 <1030613@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: adchpp
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of
Dcplusplus-team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1030613

Title:
  Normal users can issue CMDs

Status in ADCH++:
  Fix Released
Status in DC++:
  Confirmed

Bug description:
  Any client may send a CMD (only B-type tested) to the hub,
  distributing it to any user. If done in a bot, you can effectively
  send tens or hundreds of these, and a receiving client will be forced
  to manage them, thus potentially causing a DoS scenario.

  Generate the following user command in DC++ to test yourself;
  Command type: Raw
  Context: Hub menu
  Name: RogueCommand
  Command: BCMD %[mySID] Security\stest,\sbe\safraid TTHINF\sNIfoobar\n CT2
  Hub address: adc://

  (Above command should obviously be followed by a new line.)

  The hub should ignore any CMD originating from a user. Potentially
  allow CMDs from trusted users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/adchpp/+bug/1030613/+subscriptions

References

[Bug 1030613] [NEW] Normal users can issue CMDs
From: Fredrik Ullner, 2012-07-29