[8622] in bugtraq
Re: Old IRC Client bug Re-Applied
daemon@ATHENA.MIT.EDU (IRCop)
Mon Nov 23 23:43:29 1998
Date: Fri, 20 Nov 1998 18:12:56 -0600
Reply-To: IRCop <StudNo1@dal.net>
From: IRCop <studno1@INTELLEX.COM>
To: BUGTRAQ@NETSPACE.ORG
I need to point out the facts about Pirch. With the release of Pirch 1.0
that problem is fixed on New installs. Pirch creates the subdirectory for
the downloads and set it to that in the prefs now. This only applies to new
installs not upgrades. For people upgrading they will have to create a
download directory and set it in there prefs. I would hope that none of the
pirch users would be downloading there stuff to the system dir of pirch
anyway... Hope that helps clairfy this string.
StudNo1
Dalnet IRCop
-----Original Message-----
From: Security Admin <admin@ATECH.ORG>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Friday, November 20, 1998 1:42 PM
Subject: Re: Old IRC Client bug Re-Applied
>As far as I knew, Pirch development was discontinued quite sometime ago
>(although going to the official home page now reveals they've got a new
>domain), so if thats the case, fixing this bug will be up to the
>individual user.. although the VAST majority of windows IRC users use mIRC
>anyway...
>
>-pat
>
>On Thu, 12 Nov 1998, rewt@midsouth.rr.com wrote:
>
>> If this has already been announced, well, screw me.
>>
>> Problem:
>> The IRC (Internet Relay Chat) Client, pIRCh automatically assigns
>> your main pirch directory to where DCC downloads are sent.
>>
>> Exploit:
>> You can replace someone's script file with a malicious one,
>> therefore recieving control over an ignorant irc tenant. This can be
>> done by sending a replacement file via DCC to the user. Most
>> people could tell the user that it was something cool, and they
>> would accept it.
>>
>> Fix:
>> Simply goto Tools.. then Preferences. Flip to the DCC tab and
>> change your default DCC recieve directory to something that is not
>> the main pIRCh directory.
>>
>> Tested On:
>> pIRCh32 0.92
>> If there's a new version out that fixes it, well crap, I'm sorry for
>> taking up your time.
>>
>> Cheers,
>> REwT <rewt@midsouth.rr.com>
>> PaKT-TeCH Sekurity | REwT Technologies
>>
>