Forums Bug Reports possible exploit

Hi.
echo can, in combination with $findfile, execute stuff.
so you think you echo some encoded stuff in decoded version, but instead of echoing, it will be executed.

echo -a $( $findfile(.,*,1,scid -at1 .amsg n1 $!cb(1) | .dosomebadstuff) ,2)

now think that would be encoded and you give it to a newbie

//echo -a $($decode(JGZpbmRma.....==,m),2)
could end bad (think on RPC, eg.)

btw, it also works with the actual version 6.16

echoing encoded stuff has been already stated here, it is not a exploit or a bug, if you dumb enough to go and echo whatever someone tells you then bah. This has been debated much so im gonna shut it now, search the forums youll see.

//echo -a $decode(<anything>) can never be dangerous, so one can always find out what an encoded message contains without risk. If one is dumb enough to intentionally wrap $eval(...,2) or $(...,2) around $decode() or type whatever he's told on IRC, well, that's not mirc's problem, is it?

and you think a newbie knows that echo stuff can execute something bad, like an rpc script?

No, they don't know. That's why there are a number of $decode infections going around IRC. There have been for years.

However, it has nothing to do with mIRC, it has to do with the intelligence of the end user - I was a newbie once too, and I have never written a $decode virus or anything else other people have asked me to type.

People should not be on IRC, or even the Internet, if they don't know basic ways to protect their computers - unfortunately, IRC and again, the Internet, is a fairly unmoderated medium and you don't need a license to connect to either. This means people get on when they don't know what they are doing. This is not mIRC's fault. All we can do is, everywhere possible, communicate to new users basic protection methods that they can use to keep their computers/mIRC clients clean of infection.

We cannot force people to read documentation if they are too lazy to do so. We cannot force people to install antiviruses, and we cannot cure people's temptation to write commands because they think it'll get them ops in some channel. It's not an mIRC bug.

Regards,

mmh but mIRC could help a bit against that.
the first time you /echo some $decode stuff, it could give out a warning, like when you load a script with initialcode in it.
what do you think about that?

okay, people should think about what they do... but there still are quite enough who don't :tongue:

That would be a feature suggestion, not a bug report, and the suggestion of being able to lock $decode or to prevent its use has been made before. If Khaled wishes to add that to future versions of mIRC, then you'll find out in the coming years

Regards,

heh okay then