You also seem to be getting confused about what the bug allows people to do. The bug will let people call any identifier on the users system, not a command. Also, since channel names can't have commas in them none of the identifiers that let you call commands ($findfile() and $finddir()) can be called using the exploit. It's a relatively low risk bug, but it is still an exploit and should be fixed ASAP.
