<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I have one question : I have these dvar in my server cfg<br>
<br>
set sv_allowdownload "1"<br>
seta sv_wwwDownload "1"<br>
seta sv_wwwBaseURL <a class="moz-txt-link-rfc2396E" href="http://whaterver_you_wnat.com/cod">"http://whaterver_you_wnat.com/cod"</a><br>
seta sv_wwwDlDisconnected "1"<br>
<br>
If you put the allowdownload to 0, does it disable the www
capability ? if we could restrict the download part to http
downloading, things could be easier to cope with.<br>
<br>
Le 14/09/2010 20:44, Nosjp Nosjp a écrit :
<blockquote
cite="mid:AANLkTi=-=-yiKzXqTGbN8xwrVo5xGw4DKgX5c-X_oV72@mail.gmail.com"
type="cite">@Marco: <br>
<br>
If you have a server <br>
- without custom maps/mods/pam -> disable downloads: seta
sv_allowDownload "0"<br>
- with custom maps/mods/pam -> disable game console (set
sv_disableClientConsole "1") + random .cfg name<br>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, Sep 14, 2010 at 9:37 PM, Sheepa <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:sheepa@sheepa.org">sheepa@sheepa.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Is there even any working POC for this?<br>
<br>
--------------------------------------------------<br>
From: "Marco Padovan" <<a moz-do-not-send="true"
href="mailto:evolutioncrazy@gmail.com" target="_blank">evolutioncrazy@gmail.com</a>><br>
Sent: Tuesday, September 14, 2010 8:14 PM<br>
To: "Call of Duty server admin list." <<a
moz-do-not-send="true" href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a>>
<div class="im"><br>
Subject: Re: [cod] Cfg download hacking<br>
<br>
</div>
<div>
<div class="h5">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
I see...<br>
<br>
will take the "random cfg filename" path as all other
workarounds are<br>
not acceptable for my use :(<br>
<br>
On Tue, Sep 14, 2010 at 8:01 PM, Morpheus <<a
moz-do-not-send="true"
href="mailto:morpheus@clantoc.org" target="_blank">morpheus@clantoc.org</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
I think iptables is too low-level to deal with such
specific hack attempts.<br>
At least you can use it to ban IP addresses you
catch... It's sad it has not<br>
been fixed since discovery, with all the games that
are using the<br>
codebase...<br>
<br>
Le 14/09/2010 19:32, Marco Padovan a écrit :<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt
0pt 0.8ex; border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;">
<br>
I'm aware of the exploits... was looking for some
suggestion on how to<br>
fix them... even via iptables eventually...<br>
<br>
On Tue, Sep 14, 2010 at 6:56 PM, James Landi<<a
moz-do-not-send="true" href="mailto:jim@landi.net"
target="_blank">jim@landi.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<br>
The exploit I just posted about could be an older
version or not the<br>
same<br>
as described in this mail list thread.<br>
<br>
using the second link should give you a good list
of quake based exploits<br>
you may want to watch for.<br>
<br>
Sorry for the wrong ling<br>
<br>
Jim Landi<br>
Rudedog<br>
FPSadmin.com<br>
Microsoft MVP, Games for Windows | Twitter@
therealrudedog<br>
<br>
<br>
On 9/14/10 12:25 PM, Morpheus wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<br>
We're talking about the built-in download
system, not the http redirect<br>
one, which you can control with symlinks and
htaccess features. It's<br>
about a<br>
security hole that virtually exists in all
q3-based games (at least for<br>
the<br>
net code).<br>
<br>
Le 14/09/2010 18:21, Mavrick a écrit :<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<br>
Anyone tried symbolic links?<br>
<br>
On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:<br>
<blockquote class="gmail_quote" style="margin:
0pt 0pt 0pt 0.8ex; border-left: 1px solid
rgb(204, 204, 204); padding-left: 1ex;">
<br>
The only one solution: set sv_allowDownload
"0"<br>
<br>
On Mon, Sep 13, 2010 at 7:45 PM, Marco<br>
Padovan<<a moz-do-not-send="true"
href="mailto:evolutioncrazy@gmail.com"
target="_blank">evolutioncrazy@gmail.com</a><br>
<mailto:<a moz-do-not-send="true"
href="mailto:evolutioncrazy@gmail.com"
target="_blank">evolutioncrazy@gmail.com</a>>>
wrote:<br>
<br>
We are having major hack attempts that
consist in people<br>
downloading the cfg files.... currently
we had to use random<br>
file names...<br>
<br>
is there any solid work around?<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><mailto:<a
moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a>><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
<br>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</blockquote>
<br>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true"
href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br>
</blockquote>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a>
<br>
</blockquote>
_______________________________________________<br>
cod mailing list<br>
<a moz-do-not-send="true" href="mailto:cod@icculus.org"
target="_blank">cod@icculus.org</a><br>
<a moz-do-not-send="true"
href="http://icculus.org/mailman/listinfo/cod"
target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
cod mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>
</pre>
</blockquote>
</body>
</html>