I surely couldn't download server.cfg file. I tried to remove them from my client and download server.cfg again and it failed. ________________________________ Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania
----- Original Message ----- From: "Alastair Grant" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 1:30 AM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > You can't seem to download the server.cfg file. I've tried it on my > servers and it won't work. > > Also it won't download anything below your mod directory, which is good > news. I tried downloading hlds_run and /etc/passwd both failed. > > Although you can download other files. Please could somebody confirm > downloading of the server.cfg doesn't work. > > I'm currently got the rcon password in the command line run for the > server so it's not written down. This of course is not an option if you > are on a shared box; as people can see the password in the process listing. > > Simon Street wrote: > > And fwed here. > > > > Ignore if you don't care etc etc... > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Russell > > Sent: 19 November 2003 20:41 > > To: [EMAIL PROTECTED] > > Subject: [hlds] [CRITICAL] Fw: [Full-Disclosure] Half Life dedicated server > > information leak and DoS > > > > > > Forwarded to [EMAIL PROTECTED] as i feel it has some relevance and > > you server admins need to protect yourselves. > > > > Tested and confirmed (for files other than server.cfg) on TFC. > > > > I believe in full disclosure. > > > > ----- Original Message ----- > > From: "3APA3A" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, November 19, 2003 4:07 PM > > Subject: [Full-Disclosure] Half Life dedicated server information leak and > > DoS > > > > > > > >> > >>Probably is known, but is not documented: > >> > >>Vendor: Valve software > >>Software: hlds, all versions (including steam). > >>Problem: Information leak, DoS > >>Author: SYZo[SND] > >> > >>Problem: > >> > >>in server configuration, if allowdownload = 1, it's possible to > >>download any file from directory of the current game (cstrike was > >>tested) or from 'valve' directory from server. Allowdownload is > >>required to allow clients to retrieve new maps from server. > >> > >>Impact: > >> > >>It's possible to download configuration files (like server.cfg, > >>configuration files for different mods, etc) with sensitive > >>information, including passwords. Additionally, downloading large > >>file (for example > >>map) causes server to crash. > >> > >>"Exploit": > >> > >> cmd dlfile server.cfg > >> cmd dlfile addons/amx/users.ini > >> cmd dlfile addons/amx/mysql.cfg > >> cmd dlfile maps/de_torn.bsp > >> > >>Workaround: > >> > >> disable downloads. > >> > >>-- > >>http://www.security.nnov.ru > >> /\_/\ > >> { , . } |\ > >>+--oQQo->{ ^ }<-----+ \ > >>| ZARAZA U 3APA3A } You know my name - look up my number (The > > > > Beatles) > > > >>+-------------o66o--+ / > >> |/ > >> > >>_______________________________________________ > >>Full-Disclosure - We believe in it. > >>Charter: http://lists.netsys.com/full-disclosure-charter.html > >> > > > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > > -- > Wireplay Official > http://www.wireplay.co.uk/ > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux