Invision 2, build 1816 Major Security Hole


Recommended Posts

Just saw this over at the Invision MIRC Script site at http://invision.lebyte.com/

I was just informed of a serious bug in the latest build 1816 of 2.0 (and only that build) that you need to be aware of. The bug is with the new feature "/msg history revive" which comes enabled by default. This security hole is extreme and you must uncheck (disable) the feature immediately to protect yourself. You will find this option located in Main Settings (off of the Invision Menu on the mIRC menu bar) > General Tab > and at the bottom section just above the Active Help box you see the frame for 'Miscellaneous' options. Along the top row in the area you will find it. Once again this is only in Build 1816. Please note that this was truly a bug and not intentional and I apologize for this error. I am working on a new release as well as a new hosting site for the files as well. I have been working a lot of hours and have been very busy. It seems Cyberwings has vanished or something as I have been unable to get a response from them for weeks now. :(

Solution :

Version 2.0 Build 1816 is backdoored and allows people to run arbitrary commands on your mIRC, such as /quit or /ns set passwd and the like.

Make sure Message History is turned off, or alternatively delete line 385 from imisc.mrc which is the following:

if ($r.set(Invision,msgHistory) == On) { .timer 1 0 msghistory $nick $1- }

Version 2.0 Build 1804 and earlier do not have this backdoor, since there was no Message History.

Link to comment
Share on other sites

Not fussed about that stuff when I am at uni, they have blocked any IRC and Messenger / Trillain ports anywa, so I can't test it from here....

Anyone know a way around this ?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.