Forums Scripts & Popups text evaluation in /flash

Hi my dear mIRC friends,

I wanted to make a simple script that flashes the mIRC window saying "nick: message" when I receive a private message while mIRC is not the active application.

So I simply tried on *:text:*:?:flash $nick $+ : $1- which works well, except for the fact that it evaluates any given identifiers in the text, which is fine for $nick but not for $1- in my case.

If Peter messages "Hey, you told me to use $r(1,5) in my script, didn't you?" to me, it will flash "Peter: Hey, you told me to use 2 in my script, didn't you?"

Now, apart from the fact that the flashed message is screwed up, the actual bad part is that it allows remote code execution, for example by messaging "$findfile(c:,*,1,quit I got owned!)" to me.

So then I tried on *:text:*:?:flash $nick $+ : $($1-,0) and on *:text:*:?:flash $nick $+ : $($1-,1) to prevent mIRC from evaluating the given text (twice), but the first version makes it only flash only "nick:", and the second one causes the same problem as simply putting $1- as done in the very first version above.


Now I'm not sure how to solve this issue, and am wondering if one of you can give me any hints or ideas.

Thank you,
asdfasdf

Use a temporary variable like this:

Hi hixxy,

thank you for your response and your solution.


I gotta admit that I don't exactly like using an extra variable for it but if this is the only way then I guess I have no choice.


Thanks again.

An alternative is to use the $safe (or $safe2) alias, for example:
(or just directly the technique used in that alias)

Hi qwerty,

thanks for you response and provided solutions as well, $safe's way seems simple and fine to use.


I'm wondering, though, why does /flash and I believe also $tip evaluate it twice in the first place - especially when it can easily cause such dangerous remote code execution vulnerabilities in these two cases?

If I wanted it to be evaluated twice then I'd use $($1-,2).


Also, for future cases and just to be aware of it, are there any other identifiers apart from the $find* ones that can perform given commands/that can be exploited that way?


Thank you.

/flash is an old command (v5.3 - 12 years old) - $eval didn't exist back then, although I'm not sure if that's the only reason that it evaluates input. The command parameter in $findfile was added two years later (v5.5), so /flash wasn't as serious a security concern until then. $tip() does not evaluate its parameters, so it's safe to use.

There aren't any that are as easy to exploit as the $find* ones. An attacker with extra information about your mirc setup could still cause trouble. For example, they might know you have a certain, potentially dangerous, custom identifier installed. Another is that they might know you have a certain dll, which could contain a potentially dangerous routine. Also, with $dllcall(), all they need to know is the existence of any known dll: even if the dll doesn't contain a dangerous routine, the <alias> parameter in $dllcall() can cause trouble (especially since it accepts built-in commands as well). There may be a couple more similar cases that I can't think of right now, but the common thing is that they all require additional information, unlike the $find* ones.

The command parameter has an extra evaluation layer. Example:
The text parameter "$nick said $1- in $chan" won't be evaluated and is safe as it is.
However the command parameter will be evaluated and is "safe" only with e.g.: "echo -a some command with $safe($1-)"

Good point, this is something to watch out for.

In the 5.x versions, I forget which specifically, it was possible to execute all commands (including builtins) as $identifiers, including things like $quit and $run. It wasn't quite as easy to use as a $findfile command, but the same issue would've been a security concern then as well.