[cod] Cfg download hacking
Morpheus
morpheus at clantoc.org
Tue Sep 14 14:48:47 EDT 2010
I have one question : I have these dvar in my server cfg
set sv_allowdownload "1"
seta sv_wwwDownload "1"
seta sv_wwwBaseURL "http://whaterver_you_wnat.com/cod"
seta sv_wwwDlDisconnected "1"
If you put the allowdownload to 0, does it disable the www capability ?
if we could restrict the download part to http downloading, things could
be easier to cope with.
Le 14/09/2010 20:44, Nosjp Nosjp a écrit :
> @Marco:
>
> If you have a server
> - without custom maps/mods/pam -> disable downloads: seta
> sv_allowDownload "0"
> - with custom maps/mods/pam -> disable game console (set
> sv_disableClientConsole "1") + random .cfg name
>
>
>
> On Tue, Sep 14, 2010 at 9:37 PM, Sheepa <sheepa at sheepa.org
> <mailto:sheepa at sheepa.org>> wrote:
>
> Is there even any working POC for this?
>
> --------------------------------------------------
> From: "Marco Padovan" <evolutioncrazy at gmail.com
> <mailto:evolutioncrazy at gmail.com>>
> Sent: Tuesday, September 14, 2010 8:14 PM
> To: "Call of Duty server admin list." <cod at icculus.org
> <mailto:cod at icculus.org>>
>
> Subject: Re: [cod] Cfg download hacking
>
> I see...
>
> will take the "random cfg filename" path as all other
> workarounds are
> not acceptable for my use :(
>
> On Tue, Sep 14, 2010 at 8:01 PM, Morpheus
> <morpheus at clantoc.org <mailto:morpheus at clantoc.org>> wrote:
>
> I think iptables is too low-level to deal with such
> specific hack attempts.
> At least you can use it to ban IP addresses you catch...
> It's sad it has not
> been fixed since discovery, with all the games that are
> using the
> codebase...
>
> Le 14/09/2010 19:32, Marco Padovan a écrit :
>
>
> I'm aware of the exploits... was looking for some
> suggestion on how to
> fix them... even via iptables eventually...
>
> On Tue, Sep 14, 2010 at 6:56 PM, James
> Landi<jim at landi.net <mailto:jim at landi.net>> wrote:
>
>
> The exploit I just posted about could be an older
> version or not the
> same
> as described in this mail list thread.
>
> using the second link should give you a good list
> of quake based exploits
> you may want to watch for.
>
> Sorry for the wrong ling
>
> Jim Landi
> Rudedog
> FPSadmin.com
> Microsoft MVP, Games for Windows | Twitter@
> therealrudedog
>
>
> On 9/14/10 12:25 PM, Morpheus wrote:
>
>
> We're talking about the built-in download
> system, not the http redirect
> one, which you can control with symlinks and
> htaccess features. It's
> about a
> security hole that virtually exists in all
> q3-based games (at least for
> the
> net code).
>
> Le 14/09/2010 18:21, Mavrick a écrit :
>
>
> Anyone tried symbolic links?
>
> On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:
>
>
> The only one solution: set
> sv_allowDownload "0"
>
> On Mon, Sep 13, 2010 at 7:45 PM, Marco
> Padovan<evolutioncrazy at gmail.com
> <mailto:evolutioncrazy at gmail.com>
> <mailto:evolutioncrazy at gmail.com
> <mailto:evolutioncrazy at gmail.com>>>
> wrote:
>
> We are having major hack attempts
> that consist in people
> downloading the cfg files....
> currently we had to use random
> file names...
>
> is there any solid work around?
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> <mailto:cod at icculus.org><mailto:cod at icculus.org
> <mailto:cod at icculus.org>>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100914/a58b65ef/attachment-0001.htm>
More information about the cod
mailing list