I. BACKGROUND

mIRC is "a friendly IRC client that is well equipped with options and 
tools"

More information about the application is available at 
http://www.mirc.com

II. DESCRIPTION

The DCC GET dialog has a limited area visible for the filename.
By DCC sending a file with a specially crafted filename it's possible to 
'spoof' a legitimate file. 

III. ANALYSIS

Sending a file which name consists of for example 'me.mpg' + 'about 180 
"alt-0160(fakespace)"' + '.exe' leads the recieving user into believing 
that the file is merely a harmless mpeg file, while it is in fact an 
executable. mIRC has a handy 'open' button upon completion of the dcc, 
so unless the user actually opens the download folder and verifies the
extension of the file, a compromise is possible.

IIIa. MITIGATING FACTORS

If the remote user has DCC ignore enabled this will of course not work.

IV. DETECTION

mirc 6.03 and below has been found vulnerable.

V. WORKAROUND

unknown

VI. VENDOR FIX

unknown

VII. CVE INFORMATION

unknown

VIII. DISCLOSURE TIMELINE

unknown

IX. CREDIT

Knud Erik Højgaard/kokanin[a]dtors.net