<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    I have one question : I have these dvar in my server cfg<br>
    <br>
    set sv_allowdownload "1"<br>
    seta sv_wwwDownload "1"<br>
    seta sv_wwwBaseURL <a class="moz-txt-link-rfc2396E" href="http://whaterver_you_wnat.com/cod">"http://whaterver_you_wnat.com/cod"</a><br>
    seta sv_wwwDlDisconnected "1"<br>
    <br>
    If you put the allowdownload to 0, does it disable the www
    capability ? if we could restrict the download part to http
    downloading, things could be easier to cope with.<br>
    <br>
    Le 14/09/2010 20:44, Nosjp Nosjp a &eacute;crit&nbsp;:
    <blockquote
      cite="mid:AANLkTi=-=-yiKzXqTGbN8xwrVo5xGw4DKgX5c-X_oV72@mail.gmail.com"
      type="cite">@Marco: <br>
      <br>
      If you have a server <br>
      - without custom maps/mods/pam -&gt; disable downloads:&nbsp; seta
      sv_allowDownload "0"<br>
      - with custom maps/mods/pam -&gt;&nbsp; disable game console (set
      sv_disableClientConsole "1")&nbsp; + random .cfg name<br>
      <br>
      <br>
      <br>
      <div class="gmail_quote">On Tue, Sep 14, 2010 at 9:37 PM, Sheepa <span
          dir="ltr">&lt;<a moz-do-not-send="true"
            href="mailto:sheepa@sheepa.org">sheepa@sheepa.org</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          Is there even any working POC for this?<br>
          <br>
          --------------------------------------------------<br>
          From: "Marco Padovan" &lt;<a moz-do-not-send="true"
            href="mailto:evolutioncrazy@gmail.com" target="_blank">evolutioncrazy@gmail.com</a>&gt;<br>
          Sent: Tuesday, September 14, 2010 8:14 PM<br>
          To: "Call of Duty server admin list." &lt;<a
            moz-do-not-send="true" href="mailto:cod@icculus.org"
            target="_blank">cod@icculus.org</a>&gt;
          <div class="im"><br>
            Subject: Re: [cod] Cfg download hacking<br>
            <br>
          </div>
          <div>
            <div class="h5">
              <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
                0.8ex; border-left: 1px solid rgb(204, 204, 204);
                padding-left: 1ex;">
                I see...<br>
                <br>
                will take the "random cfg filename" path as all other
                workarounds are<br>
                not acceptable for my use :(<br>
                <br>
                On Tue, Sep 14, 2010 at 8:01 PM, Morpheus &lt;<a
                  moz-do-not-send="true"
                  href="mailto:morpheus@clantoc.org" target="_blank">morpheus@clantoc.org</a>&gt;
                wrote:<br>
                <blockquote class="gmail_quote" style="margin: 0pt 0pt
                  0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);
                  padding-left: 1ex;">
                  &nbsp;I think iptables is too low-level to deal with such
                  specific hack attempts.<br>
                  At least you can use it to ban IP addresses you
                  catch... It's sad it has not<br>
                  been fixed since discovery, with all the games that
                  are using the<br>
                  codebase...<br>
                  <br>
                  Le 14/09/2010 19:32, Marco Padovan a &eacute;crit :<br>
                  <blockquote class="gmail_quote" style="margin: 0pt 0pt
                    0pt 0.8ex; border-left: 1px solid rgb(204, 204,
                    204); padding-left: 1ex;">
                    <br>
                    I'm aware of the exploits... was looking for some
                    suggestion on how to<br>
                    fix them... even via iptables eventually...<br>
                    <br>
                    On Tue, Sep 14, 2010 at 6:56 PM, James Landi&lt;<a
                      moz-do-not-send="true" href="mailto:jim@landi.net"
                      target="_blank">jim@landi.net</a>&gt; &nbsp;wrote:<br>
                    <blockquote class="gmail_quote" style="margin: 0pt
                      0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
                      204, 204); padding-left: 1ex;">
                      <br>
                      &nbsp;The exploit I just posted about could be an older
                      version or not the<br>
                      same<br>
                      as described in this mail list thread.<br>
                      <br>
                      using the second link should give you a good list
                      of quake based exploits<br>
                      you may want to watch for.<br>
                      <br>
                      Sorry for the wrong ling<br>
                      <br>
                      Jim Landi<br>
                      Rudedog<br>
                      FPSadmin.com<br>
                      Microsoft MVP, Games for Windows | Twitter@
                      therealrudedog<br>
                      <br>
                      <br>
                      On 9/14/10 12:25 PM, Morpheus wrote:<br>
                      <blockquote class="gmail_quote" style="margin: 0pt
                        0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
                        204, 204); padding-left: 1ex;">
                        <br>
                        We're talking about the built-in download
                        system, not the http redirect<br>
                        one, which you can control with symlinks and
                        htaccess features. It's<br>
                        about a<br>
                        security hole that virtually exists in all
                        q3-based games (at least for<br>
                        the<br>
                        net code).<br>
                        <br>
                        Le 14/09/2010 18:21, Mavrick a &eacute;crit :<br>
                        <blockquote class="gmail_quote" style="margin:
                          0pt 0pt 0pt 0.8ex; border-left: 1px solid
                          rgb(204, 204, 204); padding-left: 1ex;">
                          <br>
                          Anyone tried symbolic links?<br>
                          <br>
                          On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:<br>
                          <blockquote class="gmail_quote" style="margin:
                            0pt 0pt 0pt 0.8ex; border-left: 1px solid
                            rgb(204, 204, 204); padding-left: 1ex;">
                            <br>
                            The only one solution: &nbsp;set sv_allowDownload
                            "0"<br>
                            <br>
                            On Mon, Sep 13, 2010 at 7:45 PM, Marco<br>
                            Padovan&lt;<a moz-do-not-send="true"
                              href="mailto:evolutioncrazy@gmail.com"
                              target="_blank">evolutioncrazy@gmail.com</a><br>
                            &lt;mailto:<a moz-do-not-send="true"
                              href="mailto:evolutioncrazy@gmail.com"
                              target="_blank">evolutioncrazy@gmail.com</a>&gt;&gt;
                            &nbsp;wrote:<br>
                            <br>
                            &nbsp; We are having major hack attempts that
                            consist in people<br>
                            &nbsp; downloading the cfg files.... &nbsp;currently
                            we had to use random<br>
                            &nbsp; file names...<br>
                            <br>
                            &nbsp; is there any solid work around?<br>
                            <br>
                            <br>
                            &nbsp;
                            _______________________________________________<br>
                            &nbsp; cod mailing list<br>
                            &nbsp; <a moz-do-not-send="true"
                              href="mailto:cod@icculus.org"
                              target="_blank">cod@icculus.org</a>&lt;mailto:<a
                              moz-do-not-send="true"
                              href="mailto:cod@icculus.org"
                              target="_blank">cod@icculus.org</a>&gt;<br>
                            &nbsp; <a moz-do-not-send="true"
                              href="http://icculus.org/mailman/listinfo/cod"
                              target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                            <br>
                            <br>
                            <br>
_______________________________________________<br>
                            cod mailing list<br>
                            <a moz-do-not-send="true"
                              href="mailto:cod@icculus.org"
                              target="_blank">cod@icculus.org</a><br>
                            <a moz-do-not-send="true"
                              href="http://icculus.org/mailman/listinfo/cod"
                              target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                          </blockquote>
                          <br>
_______________________________________________<br>
                          cod mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:cod@icculus.org"
                            target="_blank">cod@icculus.org</a><br>
                          <a moz-do-not-send="true"
                            href="http://icculus.org/mailman/listinfo/cod"
                            target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                        </blockquote>
                        <br>
                        _______________________________________________<br>
                        cod mailing list<br>
                        <a moz-do-not-send="true"
                          href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                        <a moz-do-not-send="true"
                          href="http://icculus.org/mailman/listinfo/cod"
                          target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                      </blockquote>
                      <br>
                      _______________________________________________<br>
                      cod mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                      <a moz-do-not-send="true"
                        href="http://icculus.org/mailman/listinfo/cod"
                        target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                      <br>
                    </blockquote>
                    _______________________________________________<br>
                    cod mailing list<br>
                    <a moz-do-not-send="true"
                      href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                    <a moz-do-not-send="true"
                      href="http://icculus.org/mailman/listinfo/cod"
                      target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                  </blockquote>
                  <br>
                  _______________________________________________<br>
                  cod mailing list<br>
                  <a moz-do-not-send="true"
                    href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
                  <a moz-do-not-send="true"
                    href="http://icculus.org/mailman/listinfo/cod"
                    target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
                  <br>
                </blockquote>
                _______________________________________________<br>
                cod mailing list<br>
                <a moz-do-not-send="true" href="mailto:cod@icculus.org"
                  target="_blank">cod@icculus.org</a><br>
                <a moz-do-not-send="true"
                  href="http://icculus.org/mailman/listinfo/cod"
                  target="_blank">http://icculus.org/mailman/listinfo/cod</a>
                <br>
              </blockquote>
              _______________________________________________<br>
              cod mailing list<br>
              <a moz-do-not-send="true" href="mailto:cod@icculus.org"
                target="_blank">cod@icculus.org</a><br>
              <a moz-do-not-send="true"
                href="http://icculus.org/mailman/listinfo/cod"
                target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
            </div>
          </div>
        </blockquote>
      </div>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
    </blockquote>
  </body>
</html>