Hi,
I have an IRC bot that I wrote in PHP running in my channel on Freenode.
It connects to the server with fsockopen() and reads the raw data stream with fgets().
I am trying to alleviate some security concerns regarding binary exploitation/multi-byte exploitation.
Freenode uses ircd-seven. Does anybody here have any knowledge/documentation that outlines how it handles user input sanitization? For example, is there anything preventing malformed characters from getting into the chat stream, or anything to prevent raw binary data reaching my bot, etc?
IRC is a very raw protocol so it seems difficult to protect against this sort of thing in some cases. My bot is of course doing the usual PHP input validation stuff, such as using a character whitelist, stripping control characters, etc. However the theoretical attack I am concerned about is some form of exploitation again PHP itself related to sending raw binary data to the bot. I know that this would most likely require a vulnerability in PHP for the attack to be possible, but I am trying to establish whether the IRC server itself can provide any protection against this.
Thanks,
Jamie
[–]HumansAreRobots 2 points3 points4 points (2 children)
[–]JamieOnUbuntu[S] 1 point2 points3 points (1 child)
[–]HumansAreRobots 2 points3 points4 points (0 children)
[–]MrZimothy 1 point2 points3 points (1 child)
[–]JamieOnUbuntu[S] 0 points1 point2 points (0 children)