Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Tue, 8 Jun 1999 22:49:35 -0400  
From: Rich Lafferty <rich@ALCOR.CONCORDIA.CA>  
To: BUGTRAQ@netspace.org  
Subject: mIRC 5.6 automatic URL loading  
[This one stunned me. I triple-checked and tested more than I'd  
usually test because I can't believe anyone would implement something  
so ridiculous. Perhaps I'm just optimistic. Anyhow, moving on:]  
About a week ago, mIRC 5.6 was released. Amongst other new features,  
it includes the following (from the changelog, versions.txt):  
40.Added "Track Urls" switch to System menu in Channel/Query windows,  
auto-opens websites as they are mentioned in a window.  
With the cooperation of an mIRC user (thanks Lindy_!), I found that it  
does exactly as it says -- when it's enabled, mIRC happily tells  
Netscape (and presumably IE, if that's the Default Browser) to open  
any URLs that it sees.  
Now, I don't actively pay attention to the various Windows-browser  
exploits that appear here, so I suspect the diligent bugtraq reader  
will come up with ickier things to do with this than I, but just off  
the top of my head:  
* linking to /dev/zero and letting the mIRC user's hard drive fill  
* Banners, banners, banners.  
* Trojan or virus-infected things, especially if the browser  
autoexecutes them.  
* http://some.host.name:19/  
* flood an IRC channel with URLs, causing the browser to try to  
load them up sequentially  
Anyhow, wide open. Whatever you can put in a URL, mIRC will devotedly  
tell your default browser to load up.  
It's basically reached the point now where any release of mIRC which  
isn't a patchlevel increment contains a significant vulnerability,  
which is then patched in a patchlevel-increment release between a week  
and a month later. That is, 5.5's dcc-server bug brought a quick 5.51,  
5.4's $calc bug, 5.3 and hanson.c, and 5.2's "mIRC worm", which takes  
us back to the beginning of the bugtraq archive on geek-girl.com.  
Looking at versions.txt, it seems that nearly every mIRC release x.x  
has been followed up by an x.x1 or x.x2 bugfix within a few weeks of  
its release all the way back to 3.92. (Prior to 3.92, the release  
schedule seemed to be characteristic of known-beta-quality software; I  
recall 3.92 being basically when mIRC hit the "big time", too.)  
Obviously, these non-bugfix releases are being consistently released  
prematurely. Just take a look at the release dates at  
http://www.mircscripts.com/old/ -- something is *certainly* awry.  
mIRC is beta-tested by a small, closed group. It's also the most  
popular IRC client in the world. History seems to indicate that  
whatever testing takes place isn't anywhere near sufficient. Users  
are conditioned to rush for the newest release as soon as it's  
available. Perhaps the rush to get that release out is being  
prioritized, intentionally or accidentally, over making sure that  
the program is reasonably secure?  
Certainly, no-one's reviewing code; it seems that they're not even  
thinking through the implementations of newly-introduced  
*concepts*. Perhaps it's time to revise the testing procedures --  
drastically, even? -- to catch these problems before letting them  
loose on the huge, dedicated userbase?  
Rich Lafferty ---------------------------------------------------------  
IITS/Computing Services | "How should I know if it works? That's what  
Concordia University | beta testers are for. I only coded it" -LT  
rich@alcor.concordia.ca ----------------------------------------[McQ]--  
Date: Wed, 9 Jun 1999 09:26:42 +0200  
From: Tjerk Vonck <mirc@DDS.NL>  
To: BUGTRAQ@netspace.org  
Subject: Re: mIRC 5.6 automatic URL loading  
At 22:49 08-06-99 -0400, Rich Lafferty <rich@alcor.concordia.ca> wrote:  
>About a week ago, mIRC 5.6 was released. Amongst other new features,  
>it includes the following (from the changelog, versions.txt):  
>40.Added "Track Urls" switch to System menu in Channel/Query windows,  
> auto-opens websites as they are mentioned in a window.  
Wait a sec; There is no general option to enable tracking in all channels  
and/or all query windows. You have to switch it on on a per user (nick) or  
channel base. May we assume people will only do this on channels were they  
feel home and/or with other user they know personally and trust?  
There is no *big red button* to enable this minor gimmick.. It is an option  
in the 'System Menu' (in the top left hand corner of a window) together  
with other things like logging and timestamping.  
>With the cooperation of an mIRC user (thanks Lindy_!), I found that it  
>does exactly as it says ..  
Yes, of course, otherwise it would be buggy. In all exploit examples you  
thought of it is simply a matter of disabling the URL tracking you have set  
active for the channel or query. End of problem.  
The new mIRC version 5.6 is available now! A new IRC Intro is  
included, as well as a fresh list of IRC servers. Have fun with  
this new mIRC! Read more about mIRC on one of the mIRC WWW pages:  
http://www.mirc.co.uk United Kingdom <- mIRC's Homesite  
http://www.geocities.com/~mirc/ USA <- mIRC's US mirror  
http://www.nip.nl/mirc/ The Netherlands  
http://www.mirc.queen.it/ Italy  
http://mirc.kems.net/ Kuwait  
http://www.mirc.com.ar/ Argentina  
http://www.conesul.com.br/mirc/ Brazil  
http://www.mirc.co.za/ South Africa  
http://mirc.eon.net.au/ Australia  
These pages give a lot of hints and help on mIRC and IRC. Make  
sure to read the mIRC FAQ which is distributed separately from  
mIRC. The FAQ answers a LOT of questions and includes a tutorial  
on Aliases, Popups and on 'programming' mIRC's Tools/Remote  
Included in mIRC's distribution is an IRC Intro. Look in the  
Help/Contents menu in mIRC for looots of help on IRC and  
solutions to its most common quirks and problems. At  
http://www.mirc.co.uk/servers.ini you can find the most recent  
list of IRC servers.