Quote:
Originally Posted by WildCard65
ya, atm I would recommend pushing a hotfix to the whole servercommand thing as it put servers that decide to use this plugin at risk of command injection. I would recommend IMMEDIATELY change from using servercommand to kickclient as sm_kick uses that native.
Edit: Example of command injection with your plugin: sm_fakevac lol;quit would turn into this: sm_kick lol;quit which in turn turns into these commands(as ; in source is a delimeter to serperate commands in console which is where servercommand executes things): sm_kick lol then it runs quit
Quit in a server console shuts the server down.
Edit2: Your using an indeterminate loop to do a what for can do(which for is determinate)
|
Only admins can run the cmd but anyways when I tried using KickClient it wouldn't work idk why but Ill try it again in a bit not on pc atm