i know the difference here. the console log lines clearly stated (paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.<br><br>only IWD's are contained in my HTTP redirect path.<br>
<br><div class="gmail_quote">On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans <span dir="ltr"><<a href="mailto:b.m.schiltmans@planet.nl">b.m.schiltmans@planet.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I highly doubt that this is exploited trough the game. The way I see it:<br>
- You connect to some server with http-redirect enabled, and note or memorize the http location that the downloads come from.<br>
- Start a browser, and go to the http-redirect-site<br>
- If you're 'lucky', you can see the cfg-files, either by browsing the directories, or by guessing the .cfg name(s)<br>
<br>
As an admin this can easily be prevented by any of the following:<br>
- Don't store config-files on the http-redirect, in fact, just store files there that actually need to be downloaded. Of course this only works if you have an separate redirect-space.<br>
- Instruct your webserver to not allow acces to thing like .cfg, .txt, etc etc<br>
- As an extra security/obscurity, just disable directory-browsing. Let's not make anyone any smarter than they need to be ;-)<br>
<br>
That should do the trick. Oh and one more thing (I learned the hard way), NEVER EVER use the rcon password for something like an os-user. IF someone finds out the password,.....<br>
<br>
As a sidenote for clan-based servers. Clans often want to update their usermaps all at once instead of on every map change. In this case the http-redirect is not ideal, so we use rsync to do that. When the server has updated maps, I send an email, and all they have to do is click some desktop-icon to update their own set. We implemented is because cod5 crashes a lot when it has to get an updated version of some map.<br>
<br>
Grtz<br>
Bram<br>
<br>
<br>
Tomé Duarte wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
I believe when you're using HTTP redirect the gameserver automatically redirects all downloads to the configured URL. However, a custom application to exploit this misconfiguration may somehow be able to download the server.cfg; this depends on the server code but it's highly probable that it redirects the request to the webserver.<br>
<br>
Does anyone have any more info on this vuln? Is it just the sv_allowdownload cvar or are there any other "requirements"? Is there a published vuln report or exploit?<br>
<br>
Cheers,<br>
Tomé Duarte<br>
<br>
Connect with me via:<br>
Twitter: <a href="http://twitter.com/tomeduarte" target="_blank">http://twitter.com/tomeduarte</a><br>
LinkedIn: <a href="http://www.linkedin.com/in/tduarte" target="_blank">http://www.linkedin.com/in/tduarte</a><br>
<br>
<br></div><div class="im">
On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a> <mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>> wrote:<br>
<br>
I do... I was under the impression that sv_allowdownload had to be<br>
enabled in order for HTTP redirect to work. Is that not the case?<br>
<br>
<br>
On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master<br></div><div class="im">
<<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a> <mailto:<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a>>> wrote:<br>
<br>
Do you have the http redirect setup?<br>
<br>
If not, may I suggest you set this up and in the off-server<br>
http location only store the mod and not your config files.<br>
This should solve your problem.<br>
<br>
<br>
Daniel 'mavrick' Lang<br></div>
<a href="http://www.mavrick.id.au" target="_blank">www.mavrick.id.au</a> <<a href="http://www.mavrick.id.au" target="_blank">http://www.mavrick.id.au</a>><div class="im"><br>
<br>
<br>
On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas <<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a><br></div><div class="im">
<mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>> wrote:<br>
<br>
That's correct.<br>
<br>
<br>
On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master<br>
<<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a><br></div><div class="im">
<mailto:<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a>>> wrote:<br>
<br>
The client auto-download was used because I presume<br>
you are running a mod?<br>
<br>
Daniel 'mavrick' Lang<br></div>
<a href="http://www.mavrick.id.au" target="_blank">www.mavrick.id.au</a> <<a href="http://www.mavrick.id.au" target="_blank">http://www.mavrick.id.au</a>><div class="im"><br>
<br>
<br>
<br>
On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli<br></div>
<<a href="mailto:hannu@shadowstyle.nl" target="_blank">hannu@shadowstyle.nl</a> <mailto:<a href="mailto:hannu@shadowstyle.nl" target="_blank">hannu@shadowstyle.nl</a>>><div><div></div><div class="h5">
<br>
wrote:<br>
<br>
well after they got the rcon pass they could<br>
change all non write protected<br>
<br>
> But they could only download and view, not<br>
edit.correct?<br>
><br>
><br>
><br>
> From: Geoff Goas [mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a><br>
<mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>]<br>
> Sent: Thursday, December 31, 2009 1:03 AM<br>
> To: Call of Duty server admin list.<br>
> Subject: [cod] A word of advice<br>
><br>
><br>
><br>
> This may not be news to some, but I just first<br>
hand experience with it, so I<br>
> think I should share....<br>
><br>
> Someone just gained access to the RCON password<br>
for my CoD2 server.<br>
> Apparently, they were able to use the client<br>
auto-download functionality to<br>
> download my server configuration, which I<br>
(stupidly) had named "server.cfg".<br>
><br>
> So a word to the wise - name your server config<br>
in such a way that nobody<br>
> can guess what it is. This is a Q3 engine bug,<br>
so the whole series is<br>
> affected.<br>
> --<br>
> Geoff Goas<br>
> Network Engineer<br>
><br>
> _______________________________________________<br>
> cod mailing list<br></div></div>
> <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
> <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
<br>
-- Geoff Goas<br>
Network Engineer<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
<br>
-- Geoff Goas<br>
Network Engineer<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div class="im"><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</div></blockquote><div><div></div><div class="h5">
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Geoff Goas<br>Network Engineer<br>