– IRC News

All about Internet Relay Chat

IRCServices 5.1.16 released

Andrew Church releases version 5.1.16 of the IRCServices services package.

Changes in this release have been made to the SUSPEND command to honor the NSSecureAdmins option and the option NoAdminPasswordCheck has been added to disable password strength checks when Services administrators use SET PASSWORD or ChanServ REGISTER.

The downloads are available from (Japan) (Western USA)

a20be096e427d9c904b99890a14f8349  ircservices-5.1.16.tar.gz
1f087d6d9efaf00eae12842d64f9609b  ircservices-5.1.16.diff.gz
8d0202e2d8fd7d7c7825775de98f52e1  ircservices-5.1.16-1.i386.rpm
f5d98bf470546936d19a91f41af7e3e6  ircservices_5.1.16-1_i386.deb

phpDenora version 1.4.0 is out

The Denora project releases 1.4.0 of phpDenora which is according to Hal9000 mainly a bugfix release “with some changes to the core like utf-8 support”.

Now if you are wondering why there is nothing really new to see in this release, the explanation simply is that phpDenora2 is on the way and it would be a waste of time to dedicate any energy in making substantial changes to phpDenora 1.x. And fear not, an alpha preview release will be available sometime next month.

The changes that have been introduced “require Denora 1.4 and PHP 5.2.” and Hal9000 urges to “read the new System Requirements and the upgrade instructions carefully on the download page.”

Also the website has been revamped and is worth a look :)

phpDenora fixes XSS vulnerability

After getting notified about a Cross-site scripting vulnerability in phpDenora irc-junkie quickly tried to get in touch with the project.

The vulnerability – which generally can be used to steal cookies – exists at least in phpDenoras then latest stable release, version 1.2.2 and “possibly all other versions” says developer Hal9000.

Due to lacking sanitization it was possible to exploit the vulnerability using specially crafted channelnames that would be visible on several pages of phpDenora – according to phpDenoras Hal9000 on the “channel listing, the channel stats page, the user stats page and the top channel list on the homepage – if the channel is in the top X channels”.

To test if your installation of phpDenora is vulnerable you simply can /join #<script>alert(‘XSS’)</script> and then visit one of the mentioned pages – if you’re getting a popup, you should upgrade.

But, since channels names usually are pretty limited in length and usable charset, serious threats like stolen cookies are unlikely to occur. Nonetheless this recent upgrade is a recommended one.

The download for phpDenora 1.2.3 can be found here.

Thanks go to Shawn for reporting the vulnerability, to w00t for making the initial intermediary contact to Hal9000 and of course to Hal9000 for being so quick to fix the vulnerability.

Anope switches their Support Network to InspIRCd

Following the announcement of InspIRCd 1.2-rc1, the Anope project wrote a news article on their homepage, stating that they have switched IRCds on their support network.

They’re now using InspIRCd 1.2 and a development version from the new 1.9.0 series of their services package. Stating reasons for this move, away from stable to potentially unstable development versions of both programs, chaz says that they “chose InspIRCd as it’s a well maintained, highly motivated and definitely innovative product and we (Anope) should be the forefront of the technology for the sake of our users”.

“We decided also to make the move from Anope 1.8 to 1.9 for a few reasons, namely to put our money where our mouth is and start to push the game forward by showing it’s developing fast and taking strides forward. We also wanted to be able to have users experience it for themselves without the need for a testnet or taking the plunge until their ready” chaz continues to explain the motives behind the move and says that they thought “that if we use Anope 1.9 with InspIRCd we’d be helping both teams find/fix bugs as we are all in the same game at the end of the day; to provide reliable, and feature packed IRC ‘Services’ to administrators & users alike”.

He explicitly mentions that there is no “political motive to our move” but that they “merely want to further the compatibility efforts with InspIRCd” because “of the Unreal project forking InspIRCd for their next major version” they figured that they “might aswell get in on the ground with InspIRCd”.

Closing the announcement, chaz writes that they’re “aiming for a release of Anope 1.9.0 as the first milestone in the development since it started it’s development over on C++” and that they’d like “everyone to get involved with us in testing and suggesting new features on the forum here and reporting any bugs to us on the Bugtracker here“.

Anope releases 1.8.0-stable of their IRC services package

The Anope project announces the availability of version 1.8.0, the new stable release of their IRC services package.

It’s been a long couple of years, with many changes both to the product and indeed to the team as a whole.

For those of you with Modules which won’t work beyond 1.7.21 we understand your plight and will be available to assist module authors if they need a hand revising their mods for general consumption.

We want everyone to move away from 1.7.x as a development branch and join us on -stable. (with your modules of course!)

Below is the complete changelog since version 1.7.24:

10/19 F Updated Anope Credits [ #00]
11/12 F Fixed a potential problem with NS ACCESS and UseRDB [ #00]
11/14 F Fixed two potential format vulnerabilities. [ #00]
11/15 F Fixed ns resending of passcode issue. [#964]
12/05 F Fixed session count being decremented twice on GHOST. [#969]
12/05 F Fixed CS setting +i when akicking a user from an empty channel. [#973]
12/07 F Fixed improper detection of ‘d’ usermode on UnrealIRCd. [#966]
12/20F Fixed crashbug in db-merger. [ #00]
12/29 F Fixed incorrect merging when db-merger is given arguments. [#976]
12/29 F Fixed akicklist not being reordered after a nickcore is dropped. [#983]

Provided by Julien S. <SnakeBrothers [at] hotmail [dot] com> – 2008
11/14 F Fixed BotInfo::chancount not being set properly with UseRDB [#965]

Provided by Szymek <szymek [at] adres [dot] pl> – 2008
10/25 F Updated Polish language file translation. [ #00]

Provided by Kein <kein-of [at] yandex [dot] ru> – 2008
10/25 F Updated Russian language file translation [#959]

Closing their announcement they “once again wish our loyal users all the very best in this holiday season and for all to have a successful year in 2009.”

Files can be grabbed from here.

Of course all the best wishes for 2009 from too – have a nice festive season!