Forums Feature Suggestions Script.ini is loaded by default .. That is wrong..

Why Script.ini is loaded by default ?
Some virus use that for load the bad script ..
I think the script.ini must created only if the user add some script from the mirc editor ..
And why the mIRC Editor can't live without scripts ? I can't unload all scripts ..

scripts.ini is only auto-loaded if there is no others loaded. The only time i see that as being a security thrat is if u downloaded a script with that setup. And to me, you deserve that much.

whenever you use someone elses script, if it says this script has initializing settings(or whatever) would you like to run them?, say NO, check the code before running it.

Correct but in the wrong order.

Check the code first - then, if all is well, run it.

Example of bad-using the loaded script.ini ..
A don't know man go to a bad-virused site ..
When he open the site .. In the c:\mirc\script.ini is writing the bad script .. And the mirc don't ask the man to load the script or not :tongue:

mIRC doesn't do things like that because there is a trojn called script.ini. It is the other way around. Script kiddies call the file script.ini to make it look like a legitimate file.

How does one avoid getting the bad version? Don't visit websites that are advertised on IRC unless they are trusted ones that people you know have visited before. It is that simple.

If you don't want your scripts to end with .ini then just change the file extension to something else. .mrc is popular though most (including whatever you choose to invent) will work with no drama at all.

thats what i said.
when it asks you to run dont, then check the code

That is not the same as what I said. When you receive a .zip containing an addon, it is my suggestion that the code is checked there and then (in a visual sense rather than a practical sense) to make sure the code is safe. This is before even shifting the script file to mIRC's directory and therefore no message from mIRC is possible. When and only when one deems the code to be safe, it can then be installed in the proper way and then approving of the ON LOAD warning.

I'll add that this procedure should be followed regardless of whether the script has an ON LOAD or not.

Ok .. Let's say that some popular site was hacked .. And at the first page the hacker put a virused page(ie exploit) that write automatic a bad script to script.ini .. Then what ..
I just whant to say .. The script.ini don't must be loaded by default ..

ah.... got ya :tongue:
better than my way anyway

Ok .. Let's say that some popular site was hacked ..

I am yet to see a popular site falter in this way. Sure, at times sites can be hacked but I am yet to hear of the same site being embedded with dangerous files. The site is usually just defaced in some way. This is not to say that it doesn't happen, I'm just saying that I am yet to hear of it.

I doubt someone who can make code that puts script.ini in your mirc directory will have much difficulty altering that code to also adjust mirc.ini in such a way a script is loaded.

If the script.ini would not be loaded by default .. A lot of spam(then you join/part some channel) would be destroyed(sorry 4 english) ..
I can't explain the users to not go to the bad sites .. I understand what that sites are with bad code .. But the user don't understand that .. Then i need to ban they and is not realy nice because the user whant to chat ..

In the case of script.ini or server.ini, the script file is not loaded by itself. It is loaded by a VBScript sent to your C: drive by the website. The VBScript then writes the mIRC script. When the script is loaded the VBScript is deleted. I am sure Micro$oft made a patch for IE to stop this but I am not 100%. Even if I am right there the fact is that millions of people around the world simply don't bother to patch their systems, either because of ignorance (they don't know an update system exists) or because of the "It won't happen to me" syndrome.

The script.ini is already loaded .. Then you install mirc the script.ini is loaded .. The vbscript just write the bad script script.ini .. If the script.ini would not be loaded when you install the mirc .. The bad scripts can't be activated ..

As Rich said, if they can write to script.ini then they can write to mirc.ini and list the script as already loaded anyway.

I agree with you Adrenalin.

I think the point that everyone here is missing, is the fact that mIRC automatically loads script.ini if the file suddenly appears in your mIRC directory. There is no prompt, no warning, no way to prevent it. The only work around is to type something in the script editor, select File click Save As and name it something unique and hard to guess.

I don't think it should be the user's responsibility to cautiously avoid evil websites with javascript that will automatically and blindly create the file c:\mirc\script.ini and c:\program files\mirc\script.ini. Yes, it would be NICE if users were more cautious about their online activities, but quite frankly any undesired Popup window can infect you.

[color:0000CC]mIRC shouldn't automatically load this file on startup, plain and simple. There are no valid arguements.[/color]

- Raccoon

PS. Watchdog, mIRC automatically loads script.ini, if no other script is loaded. The VBScript is not loading the file, just creating it.

The big difference is the javascript can only Create a new file, it can't Edit an existing one. mirc.ini is safe.

The only bad thing about script.ini being default is that scripts are better placed in a .mrc file, so they can be read in notepad without all the ini file section and items (n0=,n1=,etc) added. .mrc should be encouraged as the extension of script files, if not that then even .txt would be better as deafult than .ini. I would even go as far to say that mIRC should register the .mrc extension in Windows so users can right click and load it, for conveniance. Yes, I know you can do that manually.