the bug was found in chattr function, it allow users who has a flag +o ( global or on channel, it doesn't matter ), to become a bot master or a owner very easilly. I strongly recommend you to change these rows :
bind pub o|o [string trim $lol(cmdchar)]chattr pub_lol_chattr
bind msg o|o chattr msg_lol_chattr
to :
bind pub n|n [string trim $lol(cmdchar)]chattr pub_lol_chattr
bind msg n|n chattr msg_lol_chattr
so this function now can use only user who has the +n flag. If someone wants to rewrite this function i can say how this bug is working.
I think this is the first post about this bug here.. Thank for your attention
It looks like this script is no longer in production, so I will package it up, and send it on to slennox for inclusion in the archive.
If there are any others, that find security bugs in scripts from the archive, please report them (it's like you to give me all you money, but what the hell) here. I will try my best (as will the tohers), to make bug fixes, and get them included in the Tcl archive.