XSS are easy to fix, just set allow_fopen_url to Off, that's it, kills all
XSS vulnerabilities at once.
Best regards
Ronny
Two XSS vulnerabilities were disclosed for hlstats v1.35 on 19/5/2007
which are also functional for hlstatsx V1.01. So far there has not been
any info on a patch/fix for this on their site.
I'm sure this vulnerability you are mentioning was patched, but these
two new ones aren't. I have personally verified their existence in the
latest hlstatsx version. Again, proof of this can be provided off-list.
---
Regime
http://www.livebythegun.com/
Dan E wrote:
http://www.hlstatsx.com/download/current
"Fixed: Webpage Vulnerability."
So this should no longer be an issue as long as you have the most
up-to-date
release, correct?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of NaughtyGeek
Sent: Sunday, May 20, 2007 5:48 PM
To: hlds@list.valvesoftware.com
Subject: [Bulk] RE: [hlds] unwanted rcon from unknown
There was a security flaw in HLStatsX in December. They issued an email
to
premium members stating that passwords were potentially compromised and
suggested changing them. I have copied the email below.
Dear Customer,
We have been informed about an undocumented security related bug in one
of
our
systems. It could have been possible that your rcon password could be
retrieved.
The problem has been fixed immediately.
We strongly recommend, that you change your rcon password as soon as
possible to
avoid problems with your gameserver.
We apologize for any inconveniences this may cause.
Best regards
The HLstatsX - Team
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
