Bug 429328 - Security vulnerability in Hudson IRC Plugin
Summary: Security vulnerability in Hudson IRC Plugin
Status: NEW
Alias: None
Product: Hudson
Classification: Technology
Component: Plugins (show other bugs)
Version: 3.1.0   Edit
Hardware: PC Mac OS X
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Winston Prakash CLA
QA Contact: Geoff Waymark CLA
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-28 11:07 EST by Carlton Brown CLA
Modified: 2014-02-28 11:07 EST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlton Brown CLA 2014-02-28 11:07:18 EST 
It appears there is a security vulnerability in the IRC Plugin.   By design, anyone who can communicate with the Hudson IRC bot can cause commands to be executed as an authenticated Hudson user.

Password-protecting the IRC channel with the +k switch is not enough to close the hole, because anyone who knows the bot's nick can send /msg and /notice messages directly to it.

My suggestion would be:
1.  The bot should not accept private messages /msg or /notice.  
2.  The bot should refuse to accept commands on channels that aren't +k password protected.

Really, these behaviors should be enforced defaults, though one could argue that they should be configurable options.