Security Warning
CheesyPeteza
Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
<div class="IPBDescription">All server admins read please</div> Someone just posted to the hlds mailing list how to download any file from a server with sv_allowdownload 1 from the mod folder and above, plus valve folder and above.
This means they can download server.cfg, addons/amx/users.ini, your log files, anything they want.
I suggest you set sv_allowdownload to 0 immediately. (note the server.cfg included with ns incorrectly spells the command sv_allowdownload<b>s</b>). Also change your rcon password just in case someone has already taken it from one of your config/log files.
To do this it only takes a very simple console command on the client that any fool could do. I suggest you take action immediately.
This means they can download server.cfg, addons/amx/users.ini, your log files, anything they want.
I suggest you set sv_allowdownload to 0 immediately. (note the server.cfg included with ns incorrectly spells the command sv_allowdownload<b>s</b>). Also change your rcon password just in case someone has already taken it from one of your config/log files.
To do this it only takes a very simple console command on the client that any fool could do. I suggest you take action immediately.
Comments
All it'd take would be some lamer to keep downloading it and retrying to DoS your server.
sv_allowdownload 0
sv_send_logos 1
sv_send_resources 1
Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them? IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?
Has anyone tried the above config and seen it work okay?
NM- I RTFM
Any news about a "hlds_l_3111e_update.tar.gz"?
Cheers, Glenn.
Yet another reason to upgrade to steam. Not that I'm saying it's perfect/good.
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->We have released an updated dedicated server engine binary. This update
fixes the exploit published by SYZo[SND] (release on Wednesday). The
update also contains a fix for kick messages not being displayed in the
UI properly.
This release is not mandatory so you will need to manually update at
your convience.
A full changelog can be viewed at:
Windows <a href='http://www.steampowered.com/platform/update_history/Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>
Linux <a href='http://www.steampowered.com/platform/update_history/Linux%20Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>
<b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
"sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>
- Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
<b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
"sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>
- Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Any news?
Cheers, Glenn.
sv_allowdownload 0
sv_send_logos 1
sv_send_resources 1
Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them? IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?
Has anyone tried the above config and seen it work okay? <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
If u set sv_allowdownload 0 this override and disable the sv_send_ cvars....
Better try:
sv_allowdownload 1
sv_send_logos 1
sv_send_resources 0
But I don't know if this is a valid workaround for the exploit...