IRC-Junkie.org – IRC News

All about Internet Relay Chat

lightIRC v1.2.3 Build 101

As most already know, lightIRC is one of the most popular and most used Flash Clients used on IRC to this date. It has support for multiple languages, css styling, and even a webcam!

The newest version of lightIRC, recently released on Feb. 16, 2012 has added the following features:

  • Added Arabian (ar) translation
  • Parameter showVerboseUserInformation (default false) adds ident and host information for joins, parts and quits
  • Parameter targetFrame (default “_blank”) lets you specify the target frame for clicked URLs in the chat area
  • Fix: Focus did jump to channel input if identify password popup was open
  • Fix: Space key did accept webcam requests while typing a message
  • Fix: Errors occured if having webcam enabled without rtmfp parameter
  • Fix: webcamVideoOnly/webcamAudioOnly bug

lightIRC can be used for both personal use, as well as commercial use, which requires a special license. It can be easily used by all users no matter how IRC savvy they are. It can also be hosted either by yourself, or by using the lightIRC servers.

The most recent version can be obtained Here.

For more information regarding lightIRC, Click Here.

Mac OS X IRC Client Textual Version 2.1 Hits AppStore

The OS X IRC client Textual just got released as version 2.1 in the Mac OS AppStore.

 

What has begun as a fork of LimeChat has quickly evolved into something very distinct and usable, which was a main point of critique with the original.

Textual Mac OS X IRC Client

Textual Mac OS X IRC Client

Textuals’ feature-set is really complete: themes, plugins and an extensive range of configuration options.

One neat feature is the inline display of graphics and YouTube video thumbnails so you know what you’re going to click on even before you click.

What really sets Textual apart from other clients on OS X is its stability – crashes and lockups are really far and few between, if any. Attaching to a bouncer with log-replay doesn’t take longer than a few seconds even for a channel # in the high double-digits.

 

Textual is a fully Lion-compatible and also supports fullscreen IRCing so you’re no longer distracted by work when you’re chatting with your buddies ;)

 

Since 2.1 it now supports SASL plaintext auth, IPv6, regular expression support for highlights and it already complies with Apples’ new sandboxing requirement for Apps distributed via the AppStore.

 

The client is a paid-for app and costs $4.99, is available as a Trial version and even can be built by yourself from source.

 

AppStore link: Textual

Changelog

Mibbit has been compromised

On August 14 a cracker group claiming to be “hackers” named HTP broke into Mibbit, the popular web chat client for IRC. According to their temporarily “rescue” blog the break-in only affected their IRC network, their primary blog and their Wiki. NickServ passwords in clear text were released later the same day by the HTP, as well as personal information regarding several staff members. Both their IRC O-line passwords as well as their NickServ passwords, home addresses and phone numbers were published to the public via a range of file hosting services, and Pastebin.

Something perhaps even more concerning is that the group has revealed not only channel logs, but logs of private messages. It appears like Mibbit has been logging what people have said in PM to each other over their network. According to official statements, this was only a test. Some people have heard that Mibbit has been logging all messages going through their systems. Mibbit has never logged anything, unless a user wants to enable logging. The leaked message logs were captured by a staff member, and not by Mibbit’s system, according to official statements. While this is fully legal, the level of ethicality has been questioned.

The web IRC client that can be used to connect to almost any other network, which is what made them famous, has not been affected. It is operating normally.

All NickServ passwords were stored in plain text, and that raised a concern for those who are interested and engaged in enforcing security. According to staff member pottsi password hashing was not done because that would “means sendpass and getpass would not work”. Another staff member, Joshua, claimed that password hashing was not done because it was too much work to convert all passwords. This has however proven to be incorrect, at least if they used a plain copy of Anope. In Anope’s module database, there is a module called enc_switchover. It’s fairly easy to migrate from one encryption method, or none, to another, using that module. In addition to that, the Anope module ns_resetpass will allow users to reset their passwords despite encryption taking place.

Many people, especially IRC administrators, are now questioning Mibbit’s reliability and some are considering to block access from the web service, just like one of the largest networks, freenode, did a couple of years ago. This is mainly due to the question whether they log messages there too, which would go against many networks’ policies.

The Mibbit team is now working very hard to bring all services back up again. At the time of writing, ChanServ and NickServ on their network is down and staff members are forced to use /samode if they need to get op. They advice everyone who had a NickServ account registered in April or earlier, this year, to change password.

  Copyright secured by Digiprove

ii – A Filesystem-based IRC Client

There are many different IRC clients out there and no matter what your preferences are, you’re almost guaranteed to find one that will suit your needs.

Most clients today provide some sort of graphical user interface or come with an ASCII-based interface. And while the latter, CLI-based clients, are commonly thought to be the most basic variant of an IRC client, i was surprised to find a client that manages to be even more plain: ii or IRC IT.

ii is a “minimalist FIFO and filesystem-based IRC client”, meaning every channel, private message and other server communication is represented by a directory containing an in and an out file.

Even though its sourcecode is just under 500 lines, it supports the most basic commands like joining and parting, changing nickname and setting topics. All other commands currently not understood by ii can be written as per the RFC and will get sent directly to the server then.

Using standard Linux/Unix commandline-tools like echo, cat, tail and grep you can control IRC IT which almost behaves like a normal IRC client then.

Join a channel? Sure, just echo “/j #yourchannelname” > servernamedir/in and you’ll join that channel, creating an out file you can monitor with tail -f.

ii Channelview

ii Channelview

After a little while, your directory structure will look like this:

ii Treeview

ii Treeview

Users of the vim editor who always looked envious at the Emacs editor because of its built-in IRC client ERC – fret not: This blog-post details how to configure vim to be used as an IRC client in combination with ii.

So if you feel like trying something new, grab ii from here and after a fast and hassle-free compiler-run you’re up and running – Who knows, maybe you’ve got a favourite new IRC client?

  Copyright secured by Digiprove

KVIrc 3.x and 4.x Remote Command Execution Vulnerability

All current versions of the KVIrc IRC client contain a remotely exploitable command execution vulnerability, including builds of KVIrc 4 from subversion up to revision 4692 as well as the older 3.x versions.

The bug, triggered by inserting carriage returns (r) into DCC GET commands, can be used to execute every command the IRCd understands in the context of the user running the vulnerable client instance.

To check if your version is exploitable you can either take a look at the “About KVIrc” tab under “Help” and check the revision or execute the following command on IRC:

/echo $version

To make matters worse, whole channels can be exploited at once if they don’t have a mode set that disallows CTCPing them.

A quick workaround is to execute the following command, effectively preventing those “failed” DCC handshakes to be notified and disabling the bug:

/option boolNotifyFailedDccHandshakes 0

To see if you’ve already been exploited you can take a look in your server window and search for lines that look similar to these:

[01:27:46] Processing DCC GET PRIVMSG #kvirc :I’m owned
request from ATTACKER [ATTACKER@HOSTNAME] (DCC GETrPRIVMSG40#kvirc40:I’m40ownedr)
[01:27:46] Unable to process the above request: Unknown DCC type ‘GET PRIVMSG #KVIRC :I’M OWNED ‘, Ignoring and notifying failure

Updated builds of KVIrc are available on their homepage – some distributions also already have updated builds in their repository. If you can’t update because your distribution is not among the one with updated builds, the workaround helps to not fall prey to any possible attackers.

Original report on KVIrc bugtracker
Advisory on Secunia.com

  Copyright secured by Digiprove