At 01:44 PM 1/10/2003 -0600, you wrote:
> Bugtraq (a security related mailing list) just posted 3 advisories
> concerning Half-Life (HLTV, ClanMod, Adminmod). I highly recommend to any
> coder and/or sysadmin to check these out (I'm not going to reproduce them
> here, bugtraq has an excellent archive). Although there's no fix available
> yet, you should at least know about the possible dangers.
>
> Just to clearify things: I'm in NO way related to those who found the
> vulnerabilities, I'm just telling you that these exist so you know what
> you'll have to deal with sooner or later.
Here's the URL's for those of you that are not bugtraq savy...
http://online.securityfocus.com/archive/1/306122/2003-01-07/2003-01-13/0
http://online.securityfocus.com/archive/1/306120/2003-01-07/2003-01-13/0
http://online.securityfocus.com/archive/1/306117/2003-01-07/2003-01-13/0
The AdminMOD and ClanMod exploits REQUIRE knowledge of the rcon password.
In theory the rcon password could be sniffed, as I believe they're plain
text? :(
I'm also concerned after reviewing the site, I'm not sure if their hat
colour is black, white, or maybe 'grey'.
There are several articles on 'attacking MySQL servers' or various other
things. There is a disclaimer about study purposes, etc.. for what's it's
worth.
The good news is that the potential seems limited for those not running
their servers as root, in the case of the clanmod one.
Pat 'sluggo' Magnan
Tour of Duty mod
http://www.tourofdutymod.com
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
