File download exploit
James Munro
audiocheese at gmail.com
Tue Feb 12 09:17:51 EST 2008
Hello, the following code is designed for JKA but can be adapted for most Q3
engined games. My question is has this issue been resolved in ioquake3? I am
not the author of this code:
http://rafb.net/p/XmBZ6E34.html
The code will allow you to download any file from the server. As standard,
the Q3 server file download function does not check which directory the user
is downloading from, and so this code can be used to download the
server.cfgwhich may contain the rcon password, so it is clear why this
is a problem!
Regards,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3/attachments/20080212/7d07d6ee/attachment.htm>
More information about the quake3
mailing list