You also seem to be getting confused about what the bug allows people to do. The bug will let people call any identifier on the users system, not a command. Also, since channel names can't have commas in them none of the identifiers that let you call commands ($findfile() and $finddir()) can be called using the exploit. It's a relatively low risk bug, but it is still an exploit and should be fixed ASAP.
$findfile() and $finddir() are 99% useless.
You can't use , in channel names, but you can't encode them with $encode()
We can't use MIME encode, since we have to specify a ,m (and , is not allowed)
The only way is to use normal $encode(), but in 80% of cases the encoded string contains a '(' or a ')' or a ',' and it can't be decoded only if you use $chr(). but using $chr() here is not possible, so it's not a very big risk, but, anyway, this bug can make you quit the server or send some commands to server.
