would you explain in more detail? so what exactly am I supposed to type to "trick" hlstatsx? I've honestly never heard of this from lart or anyone involved in custom hlstatsx script so I don't really think this problem exists but just in case it does, I would like to learn about the details. thanks.
--- On Mon, 6/23/08, Keeper <[EMAIL PROTECTED]> wrote: From: Keeper <[EMAIL PROTECTED]> Subject: [hlds] HLStastX usage To: "'Half-Life dedicated Win32 server mailing list'" <hlds@list.valvesoftware.com>, "'Half-Life dedicated Linux server mailing list'" <[EMAIL PROTECTED]> Date: Monday, June 23, 2008, 10:22 AM Ok, here is the exploit ... and one way to fix it. If you are playing in a server that has HLStatsX installed, you can put log output in chat to create fake events. You can just say or say_team the following to trick HLStatsX: L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789") The log output would be: L 06/23/2008 - 01:00:00: "Keeper<1><STEAM_0:1:12345678><Unassigned>" say "L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")" The way the current hlstats.pl perl script parses this, is it looks for the last occurrence of the date stamp. In this case, it would show that dm_no_such_map was loaded on your server ... even though it doesn't exist. So you could logically put in headshot kills with crowbars in hl2dm. Create fake captures and kills in TF2. You could even mimic VAC Bans that would eliminate players from being able to join servers with HLStatsX installed. These exploits could range from being a small nuisance, to being a huge headache for server operators. To fix this, and I'm no regex expert, I found the following to work with both streaming servers and importing logs from the command shell: In your hlstats.pl files do the following two things: [#1 - SEARCH] ( around line 1494 ) my $last_attacker = ""; my $last_attacker_hitgroup = ""; [ADD AFTER] my $is_streamed = 0; my $test_for_date = 0; [END]------------------------------------------------------------ [#2 - SEARCH] ( around line 1821 ) # Get the datestamp (or complain) if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//) { [REPLACE WITH] # Get the datestamp (or complain) $is_streamed = 0; $test_for_date = 0; $is_streamed = ($s_output !~ m/^L\s*/); if ( !$is_streamed ) { $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } else { $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } if ($test_for_date) { [END]------------------------------------------------------------ This will allow the hlstats.pl parser to get the full event after the FIRST log stamp, and will stop this method of spoofing. Let me state, that I in no way support HLStatsX, nor will I do so in the future. But I wanted to post about this so server operators could keep the integrity of their databases. Keeper _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds