mIRC Homepage
Posted By: Adler Another idea ;-) - 06/06/03 06:41 PM
Here are posted some threads with suggestions, and the answers to this threads are "its dangerous" and "you could use com objects"
Com Objects, i think, are also dangerous and my suggesion is:

If i load a file, mirc should be warning the user (if com objects included)

e.g. Security warning...

Posted By: theRat Re: Another idea ;-) - 07/06/03 12:22 PM
Why would you load a script whitout knowing what it does?
Posted By: saxon Re: Another idea ;-) - 07/06/03 01:28 PM
i Suppose it's something that a non-technical minded person would get used too. With computers, your always dealing with code and programs, you have no idea what's in the .exe file. Even if you have the source code for a program, the chances are, they would not be able to spot a virus or whatever. This is where Anti-Virus programs, and intelligent warning systems come in, so the non-technical user doesn't have to be deprived of trying out scripts/programs. Sockets and COM, and maybe file manipulation should really be added to the disableable commands... The average popup-sharing newbie doesn't need the risk.
Posted By: starbucks_mafia Re: Another idea ;-) - 07/06/03 05:17 PM
If someone would run a script without having any idea what it contained would they be any less likely to stop a script when a warning came up saying that it was trying to make use of COM objects? I doubt it. The scripter could just put in the readme file that if a warning pops up the user must click yes for the script to work. People who will run things without checking them will almost inevitably do whatever they're told by strangers. An exe file is different because it is by nature closed-source, and anti-virus programs are made to look for viruses in them. The number of mIRC script related false positives and succesful mIRC script trojans just goes to show how inadequate AV software is when it comes to mIRC.

Quick list of the commands available in mIRC scripting that could be used for backdoors: /sock*, /dll, /run, $dll, /bwrite, /bread, $com, /com*, on TEXT, on NOTICE, /remove, /rename, $read, /write*, $*code, /dcc*, /savebuf, /loadbuf, /play, $cb.

And those are just things I came up with that I would consider 'dangerous'. To remove creation of unwitting spam bots and the like you're gonna have to remove /while, /timer and /goto aswell. Hell, you'd have to remove all methods of output entirely.

My point being that if someone doesn't have the know-how and doesn't know anyone trustworthy who does then they probably should miss out on certain scripts.
Posted By: saxon Re: Another idea ;-) - 07/06/03 05:49 PM
Yeah I wasn't really supporting the idea of the warning message, I was however supporting the idea that COM can be harmful. As harmful as /dll and /run ... So why not give it the same option to be disabled?

It wouldn't be an impossible task to disable other harmful commands, mIRC's library isn't that vast. But COM is a specific problem, Seeing as at the end of the day, it doesn't matter what you disable in mIRC, a user can most probably use COM support to do it.

Weve already seen that COM write to the registry "with utmost ease", and Im sure you don't need me to repeat all the fears people have about that.
Posted By: codemastr Re: Another idea ;-) - 07/06/03 05:57 PM
Not to mention since COM support will allow you to access the registry, you can use COM to turn off lock settings, so if COM is allowed, even if every other dangerous command is not, you can just edit the registry and delete the key that stores the "lock" options.
© mIRC Discussion Forums