<div><a href="http://aluigi.org/search.php?src=sv_allowdownload">http://aluigi.org/search.php?src=sv_allowdownload</a><br></div><div><a href="http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded">http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded</a></div>
<div><br></div><div>At least there have been a bug like this and it's severe. That second news says that you can get any file on the server which is readable by the game-server user. This is really worth of checking if the same bug still exist and makes all servers vulnerable. Not only the game-server files are in danger but also the whole server if the user isn't chrooted properly.</div>
<br><div class="gmail_quote">2010/1/20 Geoff Goas <span dir="ltr"><<a href="mailto:gitman@gmail.com">gitman@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
i know the difference here. the console log lines clearly stated (paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.<br><br>only IWD's are contained in my HTTP redirect path.<div>
<div class="h5"><br>
<br><div class="gmail_quote">On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans <span dir="ltr"><<a href="mailto:b.m.schiltmans@planet.nl" target="_blank">b.m.schiltmans@planet.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
I highly doubt that this is exploited trough the game. The way I see it:<br>
- You connect to some server with http-redirect enabled, and note or memorize the http location that the downloads come from.<br>
- Start a browser, and go to the http-redirect-site<br>
- If you're 'lucky', you can see the cfg-files, either by browsing the directories, or by guessing the .cfg name(s)<br>
<br>
As an admin this can easily be prevented by any of the following:<br>
- Don't store config-files on the http-redirect, in fact, just store files there that actually need to be downloaded. Of course this only works if you have an separate redirect-space.<br>
- Instruct your webserver to not allow acces to thing like .cfg, .txt, etc etc<br>
- As an extra security/obscurity, just disable directory-browsing. Let's not make anyone any smarter than they need to be ;-)<br>
<br>
That should do the trick. Oh and one more thing (I learned the hard way), NEVER EVER use the rcon password for something like an os-user. IF someone finds out the password,.....<br>
<br>
As a sidenote for clan-based servers. Clans often want to update their usermaps all at once instead of on every map change. In this case the http-redirect is not ideal, so we use rsync to do that. When the server has updated maps, I send an email, and all they have to do is click some desktop-icon to update their own set. We implemented is because cod5 crashes a lot when it has to get an updated version of some map.<br>
<br>
Grtz<br>
Bram<br>
<br>
<br>
Tomé Duarte wrote:<br>
<blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex"><div>
I believe when you're using HTTP redirect the gameserver automatically redirects all downloads to the configured URL. However, a custom application to exploit this misconfiguration may somehow be able to download the server.cfg; this depends on the server code but it's highly probable that it redirects the request to the webserver.<br>
<br>
Does anyone have any more info on this vuln? Is it just the sv_allowdownload cvar or are there any other "requirements"? Is there a published vuln report or exploit?<br>
<br>
Cheers,<br>
Tomé Duarte<br>
<br>
Connect with me via:<br>
Twitter: <a href="http://twitter.com/tomeduarte" target="_blank">http://twitter.com/tomeduarte</a><br>
LinkedIn: <a href="http://www.linkedin.com/in/tduarte" target="_blank">http://www.linkedin.com/in/tduarte</a><br>
<br>
<br></div><div>
On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a> <mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>> wrote:<br>
<br>
I do... I was under the impression that sv_allowdownload had to be<br>
enabled in order for HTTP redirect to work. Is that not the case?<br>
<br>
<br>
On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master<br></div><div>
<<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a> <mailto:<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a>>> wrote:<br>
<br>
Do you have the http redirect setup?<br>
<br>
If not, may I suggest you set this up and in the off-server<br>
http location only store the mod and not your config files.<br>
This should solve your problem.<br>
<br>
<br>
Daniel 'mavrick' Lang<br></div>
<a href="http://www.mavrick.id.au" target="_blank">www.mavrick.id.au</a> <<a href="http://www.mavrick.id.au" target="_blank">http://www.mavrick.id.au</a>><div><br>
<br>
<br>
On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas <<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a><br></div><div>
<mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>> wrote:<br>
<br>
That's correct.<br>
<br>
<br>
On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master<br>
<<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a><br></div><div>
<mailto:<a href="mailto:mavrick.master@gmail.com" target="_blank">mavrick.master@gmail.com</a>>> wrote:<br>
<br>
The client auto-download was used because I presume<br>
you are running a mod?<br>
<br>
Daniel 'mavrick' Lang<br></div>
<a href="http://www.mavrick.id.au" target="_blank">www.mavrick.id.au</a> <<a href="http://www.mavrick.id.au" target="_blank">http://www.mavrick.id.au</a>><div><br>
<br>
<br>
<br>
On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli<br></div>
<<a href="mailto:hannu@shadowstyle.nl" target="_blank">hannu@shadowstyle.nl</a> <mailto:<a href="mailto:hannu@shadowstyle.nl" target="_blank">hannu@shadowstyle.nl</a>>><div><div>
<br>
wrote:<br>
<br>
well after they got the rcon pass they could<br>
change all non write protected<br>
<br>
> But they could only download and view, not<br>
edit.correct?<br>
><br>
><br>
><br>
> From: Geoff Goas [mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a><br>
<mailto:<a href="mailto:gitman@gmail.com" target="_blank">gitman@gmail.com</a>>]<br>
> Sent: Thursday, December 31, 2009 1:03 AM<br>
> To: Call of Duty server admin list.<br>
> Subject: [cod] A word of advice<br>
><br>
><br>
><br>
> This may not be news to some, but I just first<br>
hand experience with it, so I<br>
> think I should share....<br>
><br>
> Someone just gained access to the RCON password<br>
for my CoD2 server.<br>
> Apparently, they were able to use the client<br>
auto-download functionality to<br>
> download my server configuration, which I<br>
(stupidly) had named "server.cfg".<br>
><br>
> So a word to the wise - name your server config<br>
in such a way that nobody<br>
> can guess what it is. This is a Q3 engine bug,<br>
so the whole series is<br>
> affected.<br>
> --<br>
> Geoff Goas<br>
> Network Engineer<br>
><br>
> _______________________________________________<br>
> cod mailing list<br></div></div>
> <a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
> <a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
<br>
-- Geoff Goas<br>
Network Engineer<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
<br>
-- Geoff Goas<br>
Network Engineer<br>
<br>
_______________________________________________<br>
cod mailing list<br></div>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a> <mailto:<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>><div><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</div></blockquote><div><div>
_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><font color="#888888">-- <br>Geoff Goas<br>Network Engineer<br>
</font><br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br>