Exploit
pique
Join Date: 2002-11-21 Member: 9541Members
Join Date: 2002-11-21 Member: 9541Members
To all server admins. There is an exploit out there that allows a user to download any file off of the server...including server.cfg and any users.ini file you have. There are several ways to fix this:
1. sv_allowdownload 0 This is the perfect fix except that clients cant download custom maps or sounds. unfortunate but a lot better than having your rcon stolen.
2. Dont set an rcon password, make sure you use only WONIDS in the users.ini (this should ALWAYS be done) and use amx or adminmod to do rcon commands. This works except for the fact that exploiters can still crash the server by requesting large files.
3. change your default config to a cfg other than server.cfg...im not sure of the exact command to do this but you can make for example onosdiehaha.cfg to be your default server config. If exploiters dont know what file to download...they cant download it. again, as in #2, exploiters can still crash the server.
Choose what you want to do, i suggest #1, but...its not my call
o and please dont pm me or anything...im not telling anyone the exploit...except maybe flayra...but im sure he knows about it.
1. sv_allowdownload 0 This is the perfect fix except that clients cant download custom maps or sounds. unfortunate but a lot better than having your rcon stolen.
2. Dont set an rcon password, make sure you use only WONIDS in the users.ini (this should ALWAYS be done) and use amx or adminmod to do rcon commands. This works except for the fact that exploiters can still crash the server by requesting large files.
3. change your default config to a cfg other than server.cfg...im not sure of the exact command to do this but you can make for example onosdiehaha.cfg to be your default server config. If exploiters dont know what file to download...they cant download it. again, as in #2, exploiters can still crash the server.
Choose what you want to do, i suggest #1, but...its not my call
o and please dont pm me or anything...im not telling anyone the exploit...except maybe flayra...but im sure he knows about it.
Comments
2) They already released a server side patch the next day when it was discovered so the exploit is no more.
Please do research before posting.
Also, why so harsh? He's being nice informing people of this. Yes, there was a post about this already, but it's since been buried in other threads. The guy obviously just registered here to inform people about it (his post count indicates this, at least). I think he deserves a little respect.
2) They already released a server side patch the next day when it was discovered so the exploit is no more.
Please do research before posting. <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
please do YOUR research before posting. Its not only steam, TRUST ME on that. The exploit still exsits and VERY few servers are secure.
and if there was a post on this already...admins obviously didn't get the picture or ddin't check it. Ive seen maybe 4 ns servers out of 50 that have it fixed
which is pretty much what you have accomplished by stealing the rcon from my clan's server