Hi I would like to make mIRC users aware, ive checked many websites and i dont see no information on it.

This bug works by auto invite when someone invites you too a channel. so please make sure you DONT have this on....

If you do have it on they can use your mirc and use any command they like.


Regards
Dean

Interesting that there is no information stated as for what it does or how it works. Heh.

Let's see now...

Auto-join works like so:

User1 > send invite to User2 to join ____
User2 > /join ___

Now, if someone sent the command to join some code rather than some channel, it would simply give an invalid channel error. I don't see how this can be an exploit in any way, shape, or form...

I could always be wrong, tho.

bro Im not wrong. These people have tooken over chats with this

I cannot tell u the command they use because if people find out people will use it too there advantage.....

Please do not go posting thread titles in capital letters and shouting "exploit", it causes unnecessary worry/concern.

Firstly, this has been reported before by numerous users and has been known by more, for want of a better word, "experienced" mIRC users for a number of months now. Khaled is aware of the issue. The seriousness of the issue is up for debate of course, both arguments resting quite a bit on presumptions which we don't need to go over in this thread, or any other.

At this time, the BUG is not anywhere near widespread enough to be considered particularly dangerous. It is however a potential serious threat if used properly in the right circumstances. Neither this thread or any other will be used to post methods of exploitation. Attempts at doing so will get threads deleted. Plenty of info and discussion has been sent to Khaled and Krejt too.

I would give two points of advice. One, if you have Autojoin On Invite enabled, you can turn it off with /ajinvite off. If you're not an avid user of this feature but have it turned on for no particular reason, it would be wiser to turn it off. If you use the feature a lot then feel free to continue using it without worry. Secondly, a point which has been raised countless times in the past - please remember not to type anything people tell you to type unless you know for certain what the outcome of it will be.

Thanks for your concern Dean, but don't get too dramatic just yet

Regards,

I have registered and I am posting on regards to a response from Mentality.

I have to totally dis-agree with you. I run a chat hosting service and provide chat services for 22 clients (22 irc servers). This exploit that was just recently discoverd on our network, has been a HUGE issue and if what you are saying is true about it being well known, this bothers me.

We have trust mIRC for its security. I know I have donated 3 times to support it and this is the response I get? Based on the exploit.. ANY command can be run under another irc user without here knowledge and when someone first installs mIRC, the 'auto-join channel on invite' is automatically enabled. I sense a problem with that!

I have nothing else to add at this time.

I am sorry that your server/clients are being affected. However, the protection is easy, and I gave two bits of advice above that, if followed, will protect you.

I'm afraid your servers are not representative of the whole of IRC, and the fact that it is an issue on your servers does not mean it is "widespread".



No it isn't.

Regards,

Thank you for the quick reply. We will do the best we can to prevent the issue and hope theres a fix. From my understanding of programming, it would appear to be an easy fix, but of course I can't say that for sure.

*Riamus admits to being wrong about it. Oh well. I don't use it anyhow*

You also seem to be getting confused about what the bug allows people to do. The bug will let people call any identifier on the users system, not a command. Also, since channel names can't have commas in them none of the identifiers that let you call commands ($findfile() and $finddir()) can be called using the exploit. It's a relatively low risk bug, but it is still an exploit and should be fixed ASAP.

It's not as simple as you think. The bug also lets people call commands - if not directly, then indirectly. This affects every default mIRC installation where the user explicitly turned on autojoin-on-invite, and works on nearly every network. Obviously I'm not going to go into details about this, but I don't think that the risks should be downplayed (intentionally or not).

I fail to see how it lets people call commands unless there's a custom alias that doesn't check if (!$isid) before executing code, but I guess I've got no reason to disagree with you

Why not use a snipper for a temporary fix? i.e:

this should let your autojoin work, and ignore the user that invited you if the name of the room isnt a channel.
i used somthing like this, just i made a list of all my frends nicks, and it checked if they were identified with nickserv(better than host, because they went to school/work/ect (chenged their hostname))

$findfile() and $finddir() are 99% useless.
You can't use , in channel names, but you can't encode them with $encode()
We can't use MIME encode, since we have to specify a ,m (and , is not allowed)
The only way is to use normal $encode(), but in 80% of cases the encoded string contains a '(' or a ')' or a ',' and it can't be decoded only if you use $chr(). but using $chr() here is not possible, so it's not a very big risk, but, anyway, this bug can make you quit the server or send some commands to server.

By default, there are some. The p,w,s,etc.