Forums Developers Youtube link to title for mIRC

Just something minor to add to this post, about protecting yourself from being exploited. If all you're doing with this is echoing the Title and Description to yourself, there's no problem. The exploit happens ONLY when you sent the string to the IRC server, because of the way the IRC server handles messages. If they receive a message which contains an embedded line ending (either $cr or $lf or $crlf), they treat the following text as if it's another server command. If it's impossible for the html strings for title and description to contain $cr and/or $lf, then this warning doesn't apply to this specific case, but it DOES apply to the mp3 tags I mention below.

If you're typing in the editbox for channel named #test, and you type without quotes "Title goes here", it's the same as your client issuing the command:

/raw PRIVMSG #test :Title goes here

However, since you're sending a string scraped from a website created by an unknown person, there's the possibility that someone sharing a link in channel has done it for a page that they can control, and they can insert a $cr into a string that you'll be sending to the server. Assuming it's possible to create a webpage title consisting of

Title goes Here $cr mode #test +o maroon

... and your script sends a channel chat message containing the %title string, the eqivalent of this happens:

//raw PRIVMSG #test :Title goes Here $cr mode #test +o maroon

The message everyone in channel sees will consist only of the portion preceding the $cr (or $lf or $crlf), and the remaining portion will be executed by the server as if it's a separate command with your nick's current level of privileges. And in this case will give @op to whoever is using the maroon nick, but only if you have @op status or better which causes the server to accept it as a valid command. A valid server command could be anything from giving status to someone, kicking someone, or telling nickserv to drop YOUR account. It would be especially dangerous for someone who has IRCOP privileges, since there's another raft of powerful commands which become valid for them.

Note that the 2nd command is not an exploit against mIRC or any client, it's just how servers are designed to handle 2 commands in the same string. It cannot be used to get someone to execute code on their computer, so it can't launch something using /run or delete something using /remove etc.

The defense is simple, you can either strip the portion of the string following the line-ending character, or show the entire string with the cr/lf removed or replaced by spaces. I prefer the latter, because that allows everyone in channel to see the attempted trickery, rather than the threat being silently ignored in this case while still leaving others in channel possibly vulnerable later on.

For this script, these 2 commands:


... would be replaced by:


Since you're sanitizing a &binvar whose name is held in %b, you can ensure all line endings are removed in a single command prior to creating the %title and %desc variables:



becomes



NOTE:

This warning is just as applicable for other strings sent to the server, of any kind. Another area of concern would be if you have a script which sends a 'now playing' message to channel containing the Artist/Album/Title 'tag' info from an .mp3, where someone could create a malicious tag then wait for you to announce to the channel that you're listening to that song. You can use the following aliases to scan the comment string for all mp3's in your $mp3dir and below, and it will show you which, if any, contain $cr or $lf in the 'comment' tag, though they could just as easily be inserted into other fields. It's common for cr/lf to be in a comment field, but it's unlikely that will be used in the 'now playing' message. However, someone shouldn't be putting it into the title, artist, album, etc.