Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
Staying out of cstrike directory renders startup scripts secure so I've put my users.ini file outside cstrike (users_file "../users.ini") and I've tried to retrieve it. I've also changed my server.cfg to something like jfrfhruehfrhfr.cfg Anyway I have faith that Alfred will fix asap it as I've noticed the new blood that flows in Valve's veins. Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania - Original Message - From: "Florian Zschocke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 2:13 PM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > [FAW]Terran wrote: > > > I didn't follow the entire thread. But if I can download the adminmod.cfg > > all i have to do is to take a look into it and i will know the location of > > the users.ini file... > > The advisory says that you can only download files from below the > game directory (e.g. cstrike) or the valve directory. From that I > am assuming that a relative path leading out of those would not > work. This is something that had been fixed by Valve in a > different context some time ago. But I haven't tested this myself > yet, so I can't say for sure if you can download files from above > those directory with the method described. > > Florian. > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
That's in fact a brilliant idea :) - Original Message - From: "Florian Zschocke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 12:27 PM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > Emanuel Harangus wrote: > > I could dl addons/adminmod/config/users.ini .. addons/metamod/plugins.ini > > The server.cfg seems to fail as exists in hdd. > > I disabled allowdownload and allowupload untill further news about fixing > > the exploit. > > As for Admin Mod: you can move the Admin Mod config files like > users.ini to a directory above the game directory so that a > download will not work anymore. You just have to specify the path > in the adminmod.cfg file accordingly. Example: > > addons/adminmod/config/adminmod.cfg: > users_file ../../adminmod/config/users.ini > > And the tree: > > -- somedir >|-- hlds >| |-- cstrike >| \-- valve >| >\-- adminmod > \-- config > \-- users.ini > > (I hope you use a fixed width font to read your email or you may > not see the tree drawing correctly.) > > Florian. > > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
I could dl addons/adminmod/config/users.ini .. addons/metamod/plugins.ini The server.cfg seems to fail as exists in hdd. I disabled allowdownload and allowupload untill further news about fixing the exploit. Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
I surely couldn't download server.cfg file. I tried to remove them from my client and download server.cfg again and it failed. Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania - Original Message - From: "Alastair Grant" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 1:30 AM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > You can't seem to download the server.cfg file. I've tried it on my > servers and it won't work. > > Also it won't download anything below your mod directory, which is good > news. I tried downloading hlds_run and /etc/passwd both failed. > > Although you can download other files. Please could somebody confirm > downloading of the server.cfg doesn't work. > > I'm currently got the rcon password in the command line run for the > server so it's not written down. This of course is not an option if you > are on a shared box; as people can see the password in the process listing. > > Simon Street wrote: > > And fwed here. > > > > Ignore if you don't care etc etc... > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Russell > > Sent: 19 November 2003 20:41 > > To: [EMAIL PROTECTED] > > Subject: [hlds] [CRITICAL] Fw: [Full-Disclosure] Half Life dedicated server > > information leak and DoS > > > > > > Forwarded to [EMAIL PROTECTED] as i feel it has some relevance and > > you server admins need to protect yourselves. > > > > Tested and confirmed (for files other than server.cfg) on TFC. > > > > I believe in full disclosure. > > > > - Original Message - > > From: "3APA3A" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, November 19, 2003 4:07 PM > > Subject: [Full-Disclosure] Half Life dedicated server information leak and > > DoS > > > > > > > >> > >>Probably is known, but is not documented: > >> > >>Vendor: Valve software > >>Software: hlds, all versions (including steam). > >>Problem: Information leak, DoS > >>Author: SYZo[SND] > >> > >>Problem: > >> > >>in server configuration, if allowdownload = 1, it's possible to > >>download any file from directory of the current game (cstrike was > >>tested) or from 'valve' directory from server. Allowdownload is > >>required to allow clients to retrieve new maps from server. > >> > >>Impact: > >> > >>It's possible to download configuration files (like server.cfg, > >>configuration files for different mods, etc) with sensitive > >>information, including passwords. Additionally, downloading large > >>file (for example > >>map) causes server to crash. > >> > >>"Exploit": > >> > >> cmd dlfile server.cfg > >> cmd dlfile addons/amx/users.ini > >> cmd dlfile addons/amx/mysql.cfg > >> cmd dlfile maps/de_torn.bsp > >> > >>Workaround: > >> > >> disable downloads. > >> > >>-- > >>http://www.security.nnov.ru > >> /\_/\ > >>{ , . } |\ > >>+--oQQo->{ ^ }<-+ \ > >>| ZARAZA U 3APA3A } You know my name - look up my number (The > > > > Beatles) > > > >>+-o66o--+ / > >>|/ > >> > >>___ > >>Full-Disclosure - We believe in it. > >>Charter: http://lists.netsys.com/full-disclosure-charter.html > >> > > > > > > > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, > > please visit: http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > ___ > > To unsubscribe, edit your list preferences, or view the list archives, please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > > -- > Wireplay Official > http://www.wireplay.co.uk/ > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] server.cfg not exec'ing at map change
Thank you. It's working. I've added mapchangecfgfile "server.cfg" in server.cfg and it's real :) Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania - Original Message - From: "Terrance Thornsley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 10:38 AM Subject: Re: [hlds_linux] server.cfg not exec'ing at map change > I use the following commandline on the latest hlds, and have no problems > with it running the config correctly: > ./hlds_run -game cstrike +exec server.cfg +port 27015 +map > de_dust -autoupdate +mapchangecfgfile "server.cfg" +pingboost 3 > > Terry ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] HLTV recordings?
The demos are saved into cstrike directory or MOD directory 3.1.1.1x does that. - Original Message - From: "Nander Paardekooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:59 PM Subject: Re: [hlds_linux] HLTV recordings? This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] No, they are not... They are saved in the "cstrike" directory... - Original Message - From: Tristan To: [EMAIL PROTECTED] Sent: Monday, 01 September, 2003 13:50 Subject: Re: [hlds_linux] HLTV recordings? As far as I know, they're actually saved to wherever the hltv executable is -Tristan - Original Message - From: "Nander Paardekooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 11:35 PM Subject: Re: [hlds_linux] HLTV recordings? This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] hlds_l\cstrike - Original Message - From: Hambalek Regis CH [FAT] To: '[EMAIL PROTECTED]' Sent: Monday, 01 September, 2003 13:20 Subject: [hlds_linux] HLTV recordings? This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -- [ Picked text/plain from multipart/alternative ] I managed to get HLTV running but I just can't find where the recorded files are saved. The hltv process works fine, even when record command is started, I juste can't find any file in hlds subfolders... anyone got an idea? RĂ©gis Hambalek. -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] director_i386.so no where around
forget about it.. if you would put the file in cstrike/dlls/ you would get hltv to crash - Original Message - From: "Hambalek Regis CH [FAT]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 12:35 PM Subject: [hlds_linux] director_i386.so no where around > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > -- > [ Picked text/plain from multipart/alternative ] > I have problems running hltv after upgrading to 3.1.1.1d, and one of the > reason is director_i386.so is no where around my hlds folder. > Could any one say me why, or which file should be downloaded and install if > hlds_l_3111d_update.tar.gz is not enough? > > Thx > > REGIS HAMBALEK. > > -- > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] test
me too... I tried to re-subscribe and I've ended up in getting "your are alreay subscribed". The other lists are working alright but hlds-linux. Maybe it's their fault ;) HLDS_LIST 3.1.1.1a :P ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] HLDS Console *SIMPLE* Feature Request
Sixth!! - Original Message - From: "Adam 'Starblazer' Romberg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 10, 2003 3:27 AM Subject: RE: [hlds_linux] HLDS Console *SIMPLE* Feature Request > Fifth! > > -a- > > > > Adam 'Starblazer' Romberg Appleton: 920-738-9032 > System Administrator > ExtremePC LLC-=- http://www.extremepcgaming.net > > On Sat, 9 Aug 2003, Matt Gossage wrote: > > > I fourth it :-) > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Security hole known to Valve for months ??
How true you are! :( - Original Message - From: "wandlampe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 31, 2003 7:06 PM Subject: RE: [hlds_linux] Security hole known to Valve for months ?? > > But indeed it would be nice to know the 'why' of not fixing it during 4 > > months of knowing this security hole. Although this exploit was not very > > known 'out-in-the-open' it didn't mean a less serieus exploit. > > > > Regards, > > > > Rolph Haspers > > GameServers.Net > > > Well, the guy who published the proof-of-concept-exploit did us a big > favour i think... > > If he hadn't released it, Valve would have done a shit about that > hole... > > Next time, perhaps a Blackhat finds the hole, and not just some nice guy > who hasn't got any interest at all in breaking/overtaking servers... > > Think about it... > > Greetings > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux