Security Warning

CheesyPeteza

<div class="IPBDescription">All server admins read please</div> Someone just posted to the hlds mailing list how to download any file from a server with sv_allowdownload 1 from the mod folder and above, plus valve folder and above.

This means they can download server.cfg, addons/amx/users.ini, your log files, anything they want.

I suggest you set sv_allowdownload to 0 immediately. (note the server.cfg included with ns incorrectly spells the command sv_allowdownload<b>s</b>). Also change your rcon password just in case someone has already taken it from one of your config/log files.

To do this it only takes a very simple console command on the client that any fool could do. I suggest you take action immediately.

RPMayhem

Thanks for the heads up! I'll have to change that ASAP.

Night_Shade

According to the post on full-disclosure, it's also possible to crash the server by downloading a large file, such as valve/pak0.pak.

All it'd take would be some lamer to keep downloading it and retrying to DoS your server.

Pinhedd

hmm, I didn't even know it was possible to have clients request a download, is it a console command, I am a competent amx scripter and may be able to write something to reroute the command.

CheesyPeteza

You'd have to stop the client from using the command "cmd". You'd have to stop people using the command while they are connecting to your server, before they actually get in game aswell.

Pinhedd

then I dont think it can be done, seeing as it seems like its done before amx client control kicks in, maybe something serverside?

CheesyPeteza

Certain cheats stop the server from executing commands on the client anyway. For 100% protection just put sv_allowdownload 0. They are releasing a patch for WON hlds which is nice, shame its for 3111 though.

Eviscerator

If you did the following:

sv_allowdownload 0
sv_send_logos 1
sv_send_resources 1

Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them? IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?

Has anyone tried the above config and seen it work okay?

devicenull

Just a question, whats the hlds mailing list, where can I sign up? I was signed up before, but I can no longer find it
NM- I RTFM

TheGlenn

There is already a fix for Steam Servers available.

Any news about a "hlds_l_3111e_update.tar.gz"?

Cheers, Glenn.

billcat

Last I checked, valve made it pretty clear on the HLDS mailing list that they aren't going to be updating 3111 anymore. Several people bitched but their movement/work is all on steam these days.

Yet another reason to upgrade to steam. Not that I'm saying it's perfect/good.

Andyonce

From the hlds_announce mailing list:

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->We have released an updated dedicated server engine binary. This update
fixes the exploit published by SYZo[SND] (release on Wednesday). The
update also contains a fix for kick messages not being displayed in the
UI properly.

This release is not mandatory so you will need to manually update at
your convience.

A full changelog can be viewed at:
Windows <a href='http://www.steampowered.com/platform/update_history/Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>
Linux <a href='http://www.steampowered.com/platform/update_history/Linux%20Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>

<b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
"sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>

- Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

TheGlenn

<!--QuoteBegin--Andyonce+Nov 21 2003, 05:22 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Andyonce @ Nov 21 2003, 05:22 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->From the hlds_announce mailing list:

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
<b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
"sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>

- Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Any news?

Cheers, Glenn.

CheesyPeteza

Alfred said it takes a long time and it is not their highest priority a day or two ago.

Boneless

<!--QuoteBegin--Eviscerator+Nov 21 2003, 07:00 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Eviscerator @ Nov 21 2003, 07:00 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> If you did the following:

sv_allowdownload 0
sv_send_logos 1
sv_send_resources 1

Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them?  IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?

Has anyone tried the above config and seen it work okay? <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
If u set sv_allowdownload 0 this override and disable the sv_send_ cvars....

Better try:

sv_allowdownload 1
sv_send_logos 1
sv_send_resources 0

But I don't know if this is a valid workaround for the exploit...