Ok, here is the exploit ... and one way to fix it.
If you are playing in a server that has HLStatsX installed, you can put log
output in chat to create fake events.
You can just say or say_team the following to trick HLStatsX:
L 06/23/2008 - 01:00:00: Started map dm_no_such_map (CRC -123456789)
. thanks.
--- On Mon, 6/23/08, Keeper [EMAIL PROTECTED] wrote:
From: Keeper [EMAIL PROTECTED]
Subject: [hlds] HLStastX usage
To: 'Half-Life dedicated Win32 server mailing list'
hlds@list.valvesoftware.com, 'Half-Life dedicated Linux server mailing
list' [EMAIL PROTECTED]
Date: Monday, June 23, 2008
PROTECTED] wrote:
From: Keeper [EMAIL PROTECTED]
Subject: [hlds] HLStastX usage
To: 'Half-Life dedicated Win32 server mailing list'
hlds@list.valvesoftware.com, 'Half-Life dedicated Linux server mailing
list' [EMAIL PROTECTED]
Date: Monday, June 23, 2008, 10:22 AM
Ok, here is the exploit
Hello Keeper,
Didn't work for me:
Month '-1' out of range 0..11 at ./hlstats.pl line 1901
Where the line is:
$ev_unixtime =
timelocal($ev_sec,$ev_min,$ev_hour,$ev_day,$ev_month-1,$ev_year);
Can you upload the complete script somewhere?
Monday, June 23, 2008, 8:22:56 PM, you wrote:
K [#1
My fix was based off of the latest download from the HLStatsX website.
Here's what the code should look like at the second part:
# Get the datestamp (or complain)
$is_streamed = 0;
$test_for_date = 0;
$is_streamed = ($s_output !~ m/^L\s*/);
if ( !$is_streamed ) {
$test_for_date =
I know this is not a source game issue, but since it is written for and used
by source game operators I wanted to ask here:
Is there no longer any community based support for HLStatsX? I noticed Tobi
has removed the forums from his site. Somebody has pointed out a serious
security flaw to me
Yep, Great crew at www.lart2150.com
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
Is it a SQL injection / xss? Please send me information regarding this
thanks. I'm personally not aware of any other communities for hlstatsx.
- Cody Robertson
On Jun 21, 2008, at 9:12 AM, Keeper [EMAIL PROTECTED] wrote:
I know this is not a source game issue, but since it is written for
If they don't cleanse the input to a database, they deserve what they get.
I swear. I'm tempted to name my kid ' or 1=1;drop users
Cody Robertson wrote:
Is it a SQL injection / xss? Please send me information regarding this
thanks. I'm personally not aware of any other communities for
http://xkcd.com/327/
Leonard L. Church wrote:
If they don't cleanse the input to a database, they deserve what they get.
I swear. I'm tempted to name my kid ' or 1=1;drop users
Cody Robertson wrote:
Is it a SQL injection / xss? Please send me information regarding this
thanks. I'm
LOL! One of my favorite of his comics actually. :)
Chad Austin wrote:
http://xkcd.com/327/
Leonard L. Church wrote:
If they don't cleanse the input to a database, they deserve what they get.
I swear. I'm tempted to name my kid ' or 1=1;drop users
Cody Robertson wrote:
Is it a SQL
If hlstatsx is that real nice stats website w/ sql you can set up for CS
1.6, search for banana's playground, he supports it.
Leonard L. Church wrote:
LOL! One of my favorite of his comics actually. :)
Chad Austin wrote:
http://xkcd.com/327/
Leonard L. Church wrote:
If they
You're thikning hlstats, which may also be affected. This is hlstatsx
Chad Austin wrote:
If hlstatsx is that real nice stats website w/ sql you can set up for CS
1.6, search for banana's playground, he supports it.
Leonard L. Church wrote:
LOL! One of my favorite of his comics actually.
21, 2008 12:17 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] HLStastX usage
Yep, Great crew at www.lart2150.com
___
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http
14 matches
Mail list logo