**kaniini** @kaniini@mastodon.dereferenced.org · Feb 02, 2018, 21:00

**kaniini** @kaniini@mastodon.dereferenced.org · Feb 02, 2018, 21:00

kaniini @kaniini@mastodon.dereferenced.org

since the "new atheme" idiots are busy playing serious business security embargo games, I figured out the vulnerability for the rest of us.

they completely fucked up their mitigation of CVE-2016-4478, making it entirely pointless because THEY DID NOT UNDERSTAND PASCAL STRINGS ARE NOT THE SAME AS C STRINGS (good job guys, maximum security here)

full analysis here:
https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e#r27301897

IF YOU ARE RUNNING ATHEME CLOSE THE XMLRPC EXPOSURE BECAUSE THESE GUYS ARE TRUE MORONS THAT IS ALL

or consider rm'ing your ircd, that also works well.

**Diane Bruce** @Dianora · 2018-02-02T21:07:27Z

Diane Bruce @Dianora

@kaniini Yes IRC sucks.

Feb 02, 2018, 21:07 · Web · 3 · 2

**Now is the summer of our discotheque** @Elizafox@mst3k.interlinked.me · Feb 02, 2018, 21:13

**Now is the summer of our discotheque** @Elizafox@mst3k.interlinked.me · Feb 02, 2018, 21:13

@Dianora @kaniini

IRC was a mistake

**Diane Bruce** @Dianora · Feb 03, 2018, 01:04

**Diane Bruce** @Dianora · Feb 03, 2018, 01:04

@Elizafox @kaniini I think I could have been done a hell of a lot better.