well in a way it is kinda better for here since a lot of servers use
this program and it does work in all version custom and premium.*
*Jani Tiira wrote:
> Great post.. dumb post.. all the same.. I personally would have mailed this
> to Tobi17 instead of posting it here. But good catch anyway..
>
> --
> Tirppa
>
> On Mon, Jun 23, 2008 at 7:22 PM, Keeper <[EMAIL PROTECTED]> wrote:
>
>
>> Ok, here is the exploit ... and one way to fix it.
>>
>> If you are playing in a server that has HLStatsX installed, you can put log
>> output in chat to create fake events.
>>
>> You can just say or say_team the following to trick HLStatsX:
>>
>> L 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")
>>
>> The log output would be:
>>
>> L 06/23/2008 - 01:00:00: "Keeper<1><STEAM_0:1:12345678><Unassigned>" say "L
>> 06/23/2008 - 01:00:00: Started map "dm_no_such_map" (CRC "-123456789")"
>>
>> The way the current hlstats.pl perl script parses this, is it looks for the
>> last occurrence of the date stamp. In this case, it would show that
>> dm_no_such_map was loaded on your server ... even though it doesn't exist.
>> So you could logically put in headshot kills with crowbars in hl2dm.
>> Create
>> fake captures and kills in TF2. You could even mimic VAC Bans that would
>> eliminate players from being able to join servers with HLStatsX installed.
>>
>> These exploits could range from being a small nuisance, to being a huge
>> headache for server operators.
>>
>> To fix this, and I'm no regex expert, I found the following to work with
>> both streaming servers and importing logs from the command shell:
>>
>> In your hlstats.pl files do the following two things:
>>
>> [#1 - SEARCH] ( around line 1494 )
>> my $last_attacker = "";
>> my $last_attacker_hitgroup = "";
>> [ADD AFTER]
>> my $is_streamed = 0;
>> my $test_for_date = 0;
>> [END]------------------------------------------------------------
>>
>> [#2 - SEARCH] ( around line 1821 )
>> # Get the datestamp (or complain)
>> if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) -
>> (\d\d):(\d\d):(\d\d):\s*//)
>> {
>> [REPLACE WITH]
>> # Get the datestamp (or complain)
>> $is_streamed = 0;
>> $test_for_date = 0;
>> $is_streamed = ($s_output !~ m/^L\s*/);
>>
>> if ( !$is_streamed ) {
>> $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) -
>> (\d\d):(\d\d):(\d\d):\s*//);
>> } else {
>> $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) -
>> (\d\d):(\d\d):(\d\d):\s*//);
>> }
>>
>> if ($test_for_date)
>> {
>> [END]------------------------------------------------------------
>>
>> This will allow the hlstats.pl parser to get the full event after the FIRST
>> log stamp, and will stop this method of spoofing.
>>
>> Let me state, that I in no way support HLStatsX, nor will I do so in the
>> future. But I wanted to post about this so server operators could keep the
>> integrity of their databases.
>>
>> Keeper
>>
>>
>> _______________________________________________
>> To unsubscribe, edit your list preferences, or view the list archives,
>> please visit:
>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>
>>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
>
>
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
