|
|
Joined: Apr 2004
Posts: 217
Fjord artisan
|
OP
Fjord artisan
Joined: Apr 2004
Posts: 217 |
Um, I'm not quite sure if this bug has been reported yet, and if not I would like to just repost.
But mIRC evaluates identifiers in topics when the user has auto-join on invite turned on.
I really don't want to post examples of my beta testing and fun times but basically when someone has /ajinvite on, and you invite them into a channel with certain names and identifiers it evaluates them.
Just would like to make this issue notiable again..
WinXP w/ mIRC 6.16
|
|
|
|
|
Joined: Aug 2004
Posts: 7,168
Hoopy frood
|
|
Hoopy frood
Joined: Aug 2004
Posts: 7,168 |
I don't see what the bug is with this.
I have an Auction room on an adult network, where people can put themselves up for auction, and when there is someone the person's nick is put into the topic, and I use the identifier $nick($chan,1,v) in the topic.
If I was to join the room, whether via "auto-join on invite" or some other method, is irrelevant, I'd rather see a name in place of $nick($chan,1,v) to the code.
If the identifiers didn't evaluate, then all I'd see would be the code, not the results of the code (ie: the nick)
|
|
|
|
|
Joined: Sep 2005
Posts: 2,630
Hoopy frood
|
|
Hoopy frood
Joined: Sep 2005
Posts: 2,630 |
If I invite you to a channel that has certain identifier names in the channel name the identifiers will be evaluated on your (the innocent user that's just been invited to a channel) machine. It doesn't take a genious to figure out that this is a security risk.
|
|
|
|
|
Joined: Jun 2003
Posts: 4,670
Hoopy frood
|
|
Hoopy frood
Joined: Jun 2003
Posts: 4,670 |
Yes, this has been reported before. If you're not sure use the search feature.
Regards,
|
|
|
|
|
Joined: Aug 2004
Posts: 7,168
Hoopy frood
|
|
Hoopy frood
Joined: Aug 2004
Posts: 7,168 |
Thanks for the clarification, hixxy. I misunderstood what they were referring to. Does this just affect people that join channels using the Auto-join on invite, or does it also affect people that join by manually acceping an invite?
|
|
|
|
|
Joined: Jun 2003
Posts: 4,670
Hoopy frood
|
|
Hoopy frood
Joined: Jun 2003
Posts: 4,670 |
It is relevant to AJ on Invite only.
Regards,
|
|
|
|
|
Joined: Nov 2003
Posts: 157
Vogon poet
|
|
Vogon poet
Joined: Nov 2003
Posts: 157 |
I have made an ADDON that temporary fix this problem on mircscripts.org
|
|
|
|
|
Joined: Apr 2004
Posts: 217
Fjord artisan
|
|
OP
Fjord artisan
Joined: Apr 2004
Posts: 217 |
Yes, this has been reported before. If you're not sure use the search feature.
- I did use the search engine and searched for "auto-join" autojoin", but I only set the date back to 1 year. So I might've missed it. :tongue: And, in reponse to RuFyIndeed. Reason why I posted this topic. I wondered to my self why has there not been a fix in the program itself. 
|
|
|
|
|
Joined: Oct 2004
Posts: 8,061
Hoopy frood
|
|
Hoopy frood
Joined: Oct 2004
Posts: 8,061 |
Because there has not been a new version out since it was reported. You'd probably find it more easily searching for invite than by searching for autojoin. 
|
|
|
|
|
|
The_Mega_ZZTer
|
|
The_Mega_ZZTer
|
Workaround:
raw 332:*: {
; Channel topic
echo 3 -ti2 $2 * Topic: ' $+ $3- $+ '
halt
}
Adjust to your needs.
|
|
|
|
|
Joined: Apr 2004
Posts: 701
Hoopy frood
|
|
Hoopy frood
Joined: Apr 2004
Posts: 701 |
Please refrain from posting workarounds to security issues that you haven't understood. You may give people a false sense of security.
A real workaround is to turn off autojoin-on-invite, by typing: /ajinvite off
Saturn, QuakeNet staff
|
|
|
|
|
