Anyone had any word from Valve on this?
I'd rather not install a load of plugins to try to stop people hacking my
server.
garry
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
...@list.valvesoftware.com
[mailto:hlds-boun...@list.valvesoftware.com] On Behalf Of Garry Newman
Sent: Wednesday, December 02, 2009 6:32 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] Source Engine Upload/Download POC
Anyone had any word from Valve on this?
I'd rather not install a load
...@list.valvesoftware.com] On Behalf Of Spencer 'voogru'
MacDonald
Sent: Thursday, 3 December 2009 11:12 AM
To: 'Half-Life dedicated Win32 server mailing list'
Subject: Re: [hlds] Source Engine Upload/Download POC
You can prevent most damage by simply locking down your addons, cfg,
scripts directories
It seems the upload/download exploits aren't dead yet, and Valve
didn't do a good job at patching them. A blacklist didn't work too
well. Here is a serverplugin POC to upload and download files. It's
fairly trivial to use:
download_file cfg/server.cfg
upload_file addons/serverplugin_sample.dll
On Sunday 29 November 2009 10:26:50 AzuiSleet wrote:
Source:
http://azu.pastebin.com/m1cd1ab0b
You got some other interesting pastes here :p
http://azu.pastebin.com/m483ef5a0
http://azu.pastebin.com/f32ff6903
___
To unsubscribe, edit your list
Yes well you can ignore those fools. They like to vandalize my pastebin.
On Sun, Nov 29, 2009 at 3:55 AM, cnu bsh...@broadpark.no wrote:
On Sunday 29 November 2009 10:26:50 AzuiSleet wrote:
Source:
http://azu.pastebin.com/m1cd1ab0b
You got some other interesting pastes here :p
Awesome. It's not really a server plugin though is it? I'll try this
when I get home... take over some servers. 3 VALVe security.
On Sunday, November 29, 2009, AzuiSleet azuisl...@gmail.com wrote:
Yes well you can ignore those fools. They like to vandalize my pastebin.
On Sun, Nov 29, 2009 at
wait, so this means anyone can go on a server and download a server.cfg?
time to bury my rcon in a crap load of exec files lol
On Sun, Nov 29, 2009 at 7:49 AM, Saul Rennison saul.renni...@gmail.comwrote:
Awesome. It's not really a server plugin though is it? I'll try this
when I get home...
You're better off blocking your game server's TCP port.
On Sun, Nov 29, 2009 at 7:51 AM, Michael Krasnow mnk...@mnkras.com wrote:
wait, so this means anyone can go on a server and download a server.cfg?
time to bury my rcon in a crap load of exec files lol
On Sun, Nov 29, 2009 at 7:49 AM,
Shell/RDP account. Cryptography key. RCON port blocked/filtered to a
specific IP.
Winrar.
Michael Krasnow wrote:
wait, so this means anyone can go on a server and download a server.cfg?
time to bury my rcon in a crap load of exec files lol
On Sun, Nov 29, 2009 at 7:49 AM, Saul Rennison
Or you can remove rcon_password from server.cfg and use it as a server
startup parameter +rcon_password blabla
2009/11/29 Michael Krasnow mnk...@mnkras.com:
wait, so this means anyone can go on a server and download a server.cfg?
time to bury my rcon in a crap load of exec files lol
On Sun,
Good idea i think thats a bit easier :)
On Sun, Nov 29, 2009 at 11:13 AM, w4rezz w4r...@gmail.com wrote:
Or you can remove rcon_password from server.cfg and use it as a server
startup parameter +rcon_password blabla
2009/11/29 Michael Krasnow mnk...@mnkras.com:
wait, so this means anyone
You could upload a plugin which dumped Rcon and password data to a
certain PHP page to the server, then crash the server (several known
crashing exploits) to make the plugin auto-load. It's like a server
root-kit lol.
On Sunday, November 29, 2009, w4rezz w4r...@gmail.com wrote:
Or you can remove
Read the OP...
On Sunday, November 29, 2009, Aaron A. Maricic pennsta...@gmail.com wrote:
Does this apply to L4D / L4D2?
AzuiSleet wrote:
It seems the upload/download exploits aren't dead yet, and Valve
didn't do a good job at patching them. A blacklist didn't work too
well. Here is a
mailing list
Subject: Re: [hlds] Source Engine Upload/Download POC
You could upload a plugin which dumped Rcon and password data to a
certain PHP page to the server, then crash the server (several known
crashing exploits) to make the plugin auto-load. It's like a server
root-kit lol.
On Sunday
15 matches
Mail list logo
