Hi.. For the sake of not enabling all the kiddies to hack hlstatsx pages, I will not provide details, but there is indeed a vulnerability in hlstatsx. Actually there is even two. I subscribe to several security lists as well and one of them has disclosed this vulnerability. As I have also done, I would advise you to disable your hlstatsx webpage until there is a fix for this. If you want I will mail you proof of this off-list. In response to limiting access to rcon; The default port used for rcon is UDP 27005. You should be able to limit access to that using iptables or other firewall. Not 100% sure whether this will adversely influence other functionality though, so you would have to test this yourself. Hope this helps.. --- Regime http://www.livebythegun.com/
Hackmett wrote:
Hi folks, i would like to limit to a certain range, not blocking a certain IP. btw, I think I found out what happened. After having fixed the password I saw that my hlstats-stats were flushed and background image was changed to some "my penis is short, but I hacked your side"-image. Then I remembered that hlstats-db also contains rcon passwords. btw, is there some kind of security issue with HLstats 1.32 ? I already changed pw, copied the data from some hours before and changed mysql rights for the hlstats-user to read-only, but I would like to be sure that there is no SQL-insertion leak or something else. Regards Rolf
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
