would you explain in more detail? so what exactly am I supposed to type to
"trick" hlstatsx? I've honestly never heard of this from lart or anyone
involved in custom hlstatsx script so I don't really think this problem exists
but just in case it does, I would like to learn about the details. thanks.
--- On Mon, 6/23/08, Keeper <[EMAIL PROTECTED]> wrote:
From: Keeper <[EMAIL PROTECTED]>
Subject: [hlds] HLStastX usage
To: "'Half-Life dedicated Win32 server mailing list'"
<hlds@list.valvesoftware.com>, "'Half-Life dedicated Linux server mailing
list'" <[EMAIL PROTECTED]>
Date: Monday, June 23, 2008, 10:22 AM
Ok, here is the exploit ... and one way to fix it.
If you are playing in a server that has HLStatsX installed, you can put log
output in chat to create fake events.
You can just say or say_team the following to trick HLStatsX:
L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC
"-123456789")
The log output would be:
L 06/23/2008 - 01:00:00:
"Keeper<1><STEAM_0:1:12345678><Unassigned>" say
"L
06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC
"-123456789")"
The way the current hlstats.pl perl script parses this, is it looks for the
last occurrence of the date stamp. In this case, it would show that
dm_no_such_map was loaded on your server ... even though it doesn't exist.
So you could logically put in headshot kills with crowbars in hl2dm. Create
fake captures and kills in TF2. You could even mimic VAC Bans that would
eliminate players from being able to join servers with HLStatsX installed.
These exploits could range from being a small nuisance, to being a huge
headache for server operators.
To fix this, and I'm no regex expert, I found the following to work with
both streaming servers and importing logs from the command shell:
In your hlstats.pl files do the following two things:
[#1 - SEARCH] ( around line 1494 )
my $last_attacker = "";
my $last_attacker_hitgroup = "";
[ADD AFTER]
my $is_streamed = 0;
my $test_for_date = 0;
[END]------------------------------------------------------------
[#2 - SEARCH] ( around line 1821 )
# Get the datestamp (or complain)
if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) -
(\d\d):(\d\d):(\d\d):\s*//)
{
[REPLACE WITH]
# Get the datestamp (or complain)
$is_streamed = 0;
$test_for_date = 0;
$is_streamed = ($s_output !~ m/^L\s*/);
if ( !$is_streamed ) {
$test_for_date = ($s_output =~ s/^L
(\d\d)\/(\d\d)\/(\d{4}) -
(\d\d):(\d\d):(\d\d):\s*//);
} else {
$test_for_date = ($s_output =~ s/^\S*L
(\d\d)\/(\d\d)\/(\d{4}) -
(\d\d):(\d\d):(\d\d):\s*//);
}
if ($test_for_date)
{
[END]------------------------------------------------------------
This will allow the hlstats.pl parser to get the full event after the FIRST
log stamp, and will stop this method of spoofing.
Let me state, that I in no way support HLStatsX, nor will I do so in the
future. But I wanted to post about this so server operators could keep the
integrity of their databases.
Keeper
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
