[hlds] HLStastX usage
Ok, here is the exploit ... and one way to fix it. If you are playing in a server that has HLStatsX installed, you can put log output in chat to create fake events. You can just say or say_team the following to trick HLStatsX: L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The log output would be: L 06/23/2008 - 01:00:00: Keeper1STEAM_0:1:12345678Unassigned say L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The way the current hlstats.pl perl script parses this, is it looks for the last occurrence of the date stamp. In this case, it would show that dm_no_such_map was loaded on your server ... even though it doesn't exist. So you could logically put in headshot kills with crowbars in hl2dm. Create fake captures and kills in TF2. You could even mimic VAC Bans that would eliminate players from being able to join servers with HLStatsX installed. These exploits could range from being a small nuisance, to being a huge headache for server operators. To fix this, and I'm no regex expert, I found the following to work with both streaming servers and importing logs from the command shell: In your hlstats.pl files do the following two things: [#1 - SEARCH] ( around line 1494 ) my $last_attacker = ; my $last_attacker_hitgroup = ; [ADD AFTER] my $is_streamed= 0; my $test_for_date = 0; [END] [#2 - SEARCH] ( around line 1821 ) # Get the datestamp (or complain) if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//) { [REPLACE WITH] # Get the datestamp (or complain) $is_streamed = 0; $test_for_date = 0; $is_streamed = ($s_output !~ m/^L\s*/); if ( !$is_streamed ) { $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } else { $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } if ($test_for_date) { [END] This will allow the hlstats.pl parser to get the full event after the FIRST log stamp, and will stop this method of spoofing. Let me state, that I in no way support HLStatsX, nor will I do so in the future. But I wanted to post about this so server operators could keep the integrity of their databases. Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
would you explain in more detail? so what exactly am I supposed to type to trick hlstatsx? I've honestly never heard of this from lart or anyone involved in custom hlstatsx script so I don't really think this problem exists but just in case it does, I would like to learn about the details. thanks. --- On Mon, 6/23/08, Keeper [EMAIL PROTECTED] wrote: From: Keeper [EMAIL PROTECTED] Subject: [hlds] HLStastX usage To: 'Half-Life dedicated Win32 server mailing list' hlds@list.valvesoftware.com, 'Half-Life dedicated Linux server mailing list' [EMAIL PROTECTED] Date: Monday, June 23, 2008, 10:22 AM Ok, here is the exploit ... and one way to fix it. If you are playing in a server that has HLStatsX installed, you can put log output in chat to create fake events. You can just say or say_team the following to trick HLStatsX: L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The log output would be: L 06/23/2008 - 01:00:00: Keeper1STEAM_0:1:12345678Unassigned say L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The way the current hlstats.pl perl script parses this, is it looks for the last occurrence of the date stamp. In this case, it would show that dm_no_such_map was loaded on your server ... even though it doesn't exist. So you could logically put in headshot kills with crowbars in hl2dm. Create fake captures and kills in TF2. You could even mimic VAC Bans that would eliminate players from being able to join servers with HLStatsX installed. These exploits could range from being a small nuisance, to being a huge headache for server operators. To fix this, and I'm no regex expert, I found the following to work with both streaming servers and importing logs from the command shell: In your hlstats.pl files do the following two things: [#1 - SEARCH] ( around line 1494 ) my $last_attacker = ; my $last_attacker_hitgroup = ; [ADD AFTER] my $is_streamed= 0; my $test_for_date = 0; [END] [#2 - SEARCH] ( around line 1821 ) # Get the datestamp (or complain) if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//) { [REPLACE WITH] # Get the datestamp (or complain) $is_streamed = 0; $test_for_date = 0; $is_streamed = ($s_output !~ m/^L\s*/); if ( !$is_streamed ) { $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } else { $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } if ($test_for_date) { [END] This will allow the hlstats.pl parser to get the full event after the FIRST log stamp, and will stop this method of spoofing. Let me state, that I in no way support HLStatsX, nor will I do so in the future. But I wanted to post about this so server operators could keep the integrity of their databases. Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
this does work and works a little to well hehe. how it works is that when someone say something the log file has what keeper said before L 06/23/2008 - 01:00:00: Keeper1STEAM_0:1:12345678Unassigned say L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) now when it hlstatsx phrases that line is doesn't look where the date stamp is, it just looks for the date stamp and phrases from there. it completely ignores whats in quotes and what is not. so anything that looks like a log line it will treat it as one. JDoc0512 wrote: would you explain in more detail? so what exactly am I supposed to type to trick hlstatsx? I've honestly never heard of this from lart or anyone involved in custom hlstatsx script so I don't really think this problem exists but just in case it does, I would like to learn about the details. thanks. --- On Mon, 6/23/08, Keeper [EMAIL PROTECTED] wrote: From: Keeper [EMAIL PROTECTED] Subject: [hlds] HLStastX usage To: 'Half-Life dedicated Win32 server mailing list' hlds@list.valvesoftware.com, 'Half-Life dedicated Linux server mailing list' [EMAIL PROTECTED] Date: Monday, June 23, 2008, 10:22 AM Ok, here is the exploit ... and one way to fix it. If you are playing in a server that has HLStatsX installed, you can put log output in chat to create fake events. You can just say or say_team the following to trick HLStatsX: L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The log output would be: L 06/23/2008 - 01:00:00: Keeper1STEAM_0:1:12345678Unassigned say L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789) The way the current hlstats.pl perl script parses this, is it looks for the last occurrence of the date stamp. In this case, it would show that dm_no_such_map was loaded on your server ... even though it doesn't exist. So you could logically put in headshot kills with crowbars in hl2dm. Create fake captures and kills in TF2. You could even mimic VAC Bans that would eliminate players from being able to join servers with HLStatsX installed. These exploits could range from being a small nuisance, to being a huge headache for server operators. To fix this, and I'm no regex expert, I found the following to work with both streaming servers and importing logs from the command shell: In your hlstats.pl files do the following two things: [#1 - SEARCH] ( around line 1494 ) my $last_attacker = ; my $last_attacker_hitgroup = ; [ADD AFTER] my $is_streamed= 0; my $test_for_date = 0; [END] [#2 - SEARCH] ( around line 1821 ) # Get the datestamp (or complain) if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//) { [REPLACE WITH] # Get the datestamp (or complain) $is_streamed = 0; $test_for_date = 0; $is_streamed = ($s_output !~ m/^L\s*/); if ( !$is_streamed ) { $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } else { $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } if ($test_for_date) { [END] This will allow the hlstats.pl parser to get the full event after the FIRST log stamp, and will stop this method of spoofing. Let me state, that I in no way support HLStatsX, nor will I do so in the future. But I wanted to post about this so server operators could keep the integrity of their databases. Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
Hello Keeper, Didn't work for me: Month '-1' out of range 0..11 at ./hlstats.pl line 1901 Where the line is: $ev_unixtime = timelocal($ev_sec,$ev_min,$ev_hour,$ev_day,$ev_month-1,$ev_year); Can you upload the complete script somewhere? Monday, June 23, 2008, 8:22:56 PM, you wrote: K [#1 - SEARCH] ( around line 1494 ) K my $last_attacker = ; K my $last_attacker_hitgroup = ; K [ADD AFTER] K my $is_streamed= 0; K my $test_for_date = 0; K [END] K [#2 - SEARCH] ( around line 1821 ) K # Get the datestamp (or complain) K if ($s_output =~ s/^.*L (\d\d)\/(\d\d)\/(\d{4}) - K (\d\d):(\d\d):(\d\d):\s*//) K { K [REPLACE WITH] K # Get the datestamp (or complain) K $is_streamed = 0; K $test_for_date = 0; K $is_streamed = ($s_output !~ m/^L\s*/); K if ( !$is_streamed ) { K $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - K (\d\d):(\d\d):(\d\d):\s*//); K } else { K $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - K (\d\d):(\d\d):(\d\d):\s*//); K } K if ($test_for_date) K { K [END] -- Best regards, Serge ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
My fix was based off of the latest download from the HLStatsX website. Here's what the code should look like at the second part: # Get the datestamp (or complain) $is_streamed = 0; $test_for_date = 0; $is_streamed = ($s_output !~ m/^L\s*/); if ( !$is_streamed ) { $test_for_date = ($s_output =~ s/^L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } else { $test_for_date = ($s_output =~ s/^\S*L (\d\d)\/(\d\d)\/(\d{4}) - (\d\d):(\d\d):(\d\d):\s*//); } if ($test_for_date) { $ev_month = $1; $ev_day = $2; $ev_year = $3; $ev_hour = $4; $ev_min = $5; $ev_sec = $6; $ev_time = $ev_hour:$ev_min:$ev_sec; if ($g_timestamp){ $ev_timestamp = $ev_year-$ev_month-$ev_day $ev_time; $ev_datetime = '$ev_timestamp'; $ev_unixtime = timelocal($ev_sec,$ev_min,$ev_hour,$ev_day,$ev_month-1,$ev_year); } } else { printEvent(998, MALFORMED DATA: . $s_output); next; } # Now we parse the events. ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
[hlds] HLStastX usage
I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
Yep, Great crew at www.lart2150.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
If they don't cleanse the input to a database, they deserve what they get. I swear. I'm tempted to name my kid ' or 1=1;drop users Cody Robertson wrote: Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
http://xkcd.com/327/ Leonard L. Church wrote: If they don't cleanse the input to a database, they deserve what they get. I swear. I'm tempted to name my kid ' or 1=1;drop users Cody Robertson wrote: Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
LOL! One of my favorite of his comics actually. :) Chad Austin wrote: http://xkcd.com/327/ Leonard L. Church wrote: If they don't cleanse the input to a database, they deserve what they get. I swear. I'm tempted to name my kid ' or 1=1;drop users Cody Robertson wrote: Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
If hlstatsx is that real nice stats website w/ sql you can set up for CS 1.6, search for banana's playground, he supports it. Leonard L. Church wrote: LOL! One of my favorite of his comics actually. :) Chad Austin wrote: http://xkcd.com/327/ Leonard L. Church wrote: If they don't cleanse the input to a database, they deserve what they get. I swear. I'm tempted to name my kid ' or 1=1;drop users Cody Robertson wrote: Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
You're thikning hlstats, which may also be affected. This is hlstatsx Chad Austin wrote: If hlstatsx is that real nice stats website w/ sql you can set up for CS 1.6, search for banana's playground, he supports it. Leonard L. Church wrote: LOL! One of my favorite of his comics actually. :) Chad Austin wrote: http://xkcd.com/327/ Leonard L. Church wrote: If they don't cleanse the input to a database, they deserve what they get. I swear. I'm tempted to name my kid ' or 1=1;drop users Cody Robertson wrote: Is it a SQL injection / xss? Please send me information regarding this thanks. I'm personally not aware of any other communities for hlstatsx. - Cody Robertson On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote: I know this is not a source game issue, but since it is written for and used by source game operators I wanted to ask here: Is there no longer any community based support for HLStatsX? I noticed Tobi has removed the forums from his site. Somebody has pointed out a serious security flaw to me that we fixed. If it isn't rolled out into the free downloaded version I wanted to make the fix public. I will of course post it here, but wanted to know if there was anywhere else off-list that I could inform users of HLStasX. Thankfully it's an easy fix. We have found a security hole, but to our knowledge it hasn't been exploited yet at any of the servers that we have checked out. Thanks, Keeper ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
Re: [hlds] HLStastX usage
I'll make a post there when time comes. I want to give Tobi a chance to fix it himself first. This problem is caused by a person in the server playing. It's not a web interface kind of problem. Keeper -Original Message- From: Mike Stiehm [mailto:[EMAIL PROTECTED] Sent: Saturday, June 21, 2008 12:17 PM To: Half-Life dedicated Win32 server mailing list Subject: Re: [hlds] HLStastX usage Yep, Great crew at www.lart2150.com ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds