well in a way it is kinda better for here since a lot of servers use this program and it does work in all version custom and premium.*
*Jani Tiira wrote: > Great post.. dumb post.. all the same.. I personally would have mailed this > to Tobi17 instead of posting it here. But good catch anyway.. > > -- > Tirppa > > On Mon, Jun 23, 2008 at 7:22 PM, Keeper <[EMAIL PROTECTED]> wrote: > > >> Ok, here is the exploit ... and one way to fix it. >> >> If you are playing in a server that has HLStatsX installed, you can put log >> output in chat to create fake events. >> >> You can just say or say_team the following to trick HLStatsX: >> >> L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789") >> >> The log output would be: >> >> L 06/23/2008 - 01:00:00: "Keeper<1><STEAM_0:1:12345678><Unassigned>" say "L >> 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")" >> >> The way the current hlstats.pl perl script parses this, is it looks for the >> last occurrence of the date stamp. In this case, it would show that >> dm_no_such_map was loaded on your server ... even though it doesn't exist. >> So you could logically put in headshot kills with crowbars in hl2dm. >> Create >> fake captures and kills in TF2. You could even mimic VAC Bans that would >> eliminate players from being able to join servers with HLStatsX installed. >> >> These exploits could range from being a small nuisance, to being a huge >> headache for server operators. >> >> To fix this, and I'm no regex expert, I found the following to work with >> both streaming servers and importing logs from the command shell: >> >> In your hlstats.pl files do the following two things: >> >> [#1 - SEARCH] ( around line 1494 ) >> my $last_attacker = ""; >> my $last_attacker_hitgroup = ""; >> [ADD AFTER] >> my $is_streamed = 0; >> my $test_for_date = 0; >> [END]------------------------------------------------------------ >> >> [#2 - SEARCH] ( around line 1821 ) >> # Get the datestamp (or complain) >> if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - >> (\d\d):(\d\d):(\d\d):\s*//) >> { >> [REPLACE WITH] >> # Get the datestamp (or complain) >> $is_streamed = 0; >> $test_for_date = 0; >> $is_streamed = ($s_output !~ m/^L\s*/); >> >> if ( !$is_streamed ) { >> $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - >> (\d\d):(\d\d):(\d\d):\s*//); >> } else { >> $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - >> (\d\d):(\d\d):(\d\d):\s*//); >> } >> >> if ($test_for_date) >> { >> [END]------------------------------------------------------------ >> >> This will allow the hlstats.pl parser to get the full event after the FIRST >> log stamp, and will stop this method of spoofing. >> >> Let me state, that I in no way support HLStatsX, nor will I do so in the >> future. But I wanted to post about this so server operators could keep the >> integrity of their databases. >> >> Keeper >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux