Great post.. dumb post.. all the same.. I personally would have mailed this
to Tobi17 instead of posting it here. But good catch anyway..
--
Tirppa
On Mon, Jun 23, 2008 at 7:22 PM, Keeper <[EMAIL PROTECTED]> wrote:
> Ok, here is the exploit ... and one way to fix it.
>
> If you are playing in a server that has HLStatsX installed, you can put log
> output in chat to create fake events.
>
> You can just say or say_team the following to trick HLStatsX:
>
> L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")
>
> The log output would be:
>
> L 06/23/2008 - 01:00:00: "Keeper<1><STEAM_0:1:12345678><Unassigned>" say "L
> 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")"
>
> The way the current hlstats.pl perl script parses this, is it looks for the
> last occurrence of the date stamp. In this case, it would show that
> dm_no_such_map was loaded on your server ... even though it doesn't exist.
> So you could logically put in headshot kills with crowbars in hl2dm.
> Create
> fake captures and kills in TF2. You could even mimic VAC Bans that would
> eliminate players from being able to join servers with HLStatsX installed.
>
> These exploits could range from being a small nuisance, to being a huge
> headache for server operators.
>
> To fix this, and I'm no regex expert, I found the following to work with
> both streaming servers and importing logs from the command shell:
>
> In your hlstats.pl files do the following two things:
>
> [#1 - SEARCH] ( around line 1494 )
> my $last_attacker = "";
> my $last_attacker_hitgroup = "";
> [ADD AFTER]
> my $is_streamed = 0;
> my $test_for_date = 0;
> [END]------------------------------------------------------------
>
> [#2 - SEARCH] ( around line 1821 )
> # Get the datestamp (or complain)
> if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) -
> (\d\d):(\d\d):(\d\d):\s*//)
> {
> [REPLACE WITH]
> # Get the datestamp (or complain)
> $is_streamed = 0;
> $test_for_date = 0;
> $is_streamed = ($s_output !~ m/^L\s*/);
>
> if ( !$is_streamed ) {
> $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) -
> (\d\d):(\d\d):(\d\d):\s*//);
> } else {
> $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) -
> (\d\d):(\d\d):(\d\d):\s*//);
> }
>
> if ($test_for_date)
> {
> [END]------------------------------------------------------------
>
> This will allow the hlstats.pl parser to get the full event after the FIRST
> log stamp, and will stop this method of spoofing.
>
> Let me state, that I in no way support HLStatsX, nor will I do so in the
> future. But I wanted to post about this so server operators could keep the
> integrity of their databases.
>
> Keeper
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives,
> please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
