[Brrdy]

FakeVAC by Brrdy

Features:
Releases a fake VAC message acting as if the person got banned

Commands:
fv_kick
Usage: fv_kick <player>
fv_version

Changelog:

Quote:

2015-03-05 (v0.0) * Initial Release 2015-04-05 (v1.0.2) * Update plugin fixing bugs mentioned below Thanks Mitchell. *Fixed double letters I think.....

Off-Topic: Thanks r3dw3r3w0lf for posting a fix while I was away ^_^ I haven't looked at your code but I have a feeling it works as you seem more experienced than me

[Mitchell]

Things wrong:
No version cvar, in fact some may argue that version 0.0.0 isn't a valid version, as that means there was no release, but you are releasing it right now...
For some reason you require an include for one print to chat message, which could just use the corresponding \x07 color.
You include <cstrike> and dont use it.
You include clientprefs and dont use that either.
You include sdkhooks for no reason.
You shouldn't even need sdktools either... especially including it twice, jesus.
YES BY ALL MEANS KICK A CLIENT BY NAME. You should never need to use ServerCommand to fire a SM command. KickClient() would work just fine, and wouldnt fire the "[SM]" logged command.
Why does the player have to be alive to target him?

[WildCard65]

Read about SQL injection to learn why passing client names to ServerCommand IS A VERY BAD IDEA!

[Brrdy]

Quote:

Originally Posted by Mitchell Things wrong: No version cvar, in fact some may argue that version 0.0.0 isn't a valid version, as that means there was no release, but you are releasing it right now... For some reason you require an include for one print to chat message, which could just use the corresponding \x07 color. You include <cstrike> and dont use it. You include clientprefs and dont use that either. You include sdkhooks for no reason. You shouldn't even need sdktools either... especially including it twice, jesus. YES BY ALL MEANS KICK A CLIENT BY NAME. You should never need to use ServerCommand to fire a SM command. KickClient() would work just fine, and wouldnt fire the "[SM]" logged command. Why does the player have to be alive to target him?

Ill clean it up in a bit ^_^ this is just a beta

[WildCard65]

Quote:

Originally Posted by Brrdy Ill clean it up in a bit ^_^ this is just a beta

ya, atm I would recommend pushing a hotfix to the whole servercommand thing as it put servers that decide to use this plugin at risk of command injection. I would recommend IMMEDIATELY change from using servercommand to kickclient as sm_kick uses that native.

Edit: Example of command injection with your plugin: sm_fakevac lol;quit would turn into this: sm_kick lol;quit which in turn turns into these commands(as ; in source is a delimeter to serperate commands in console which is where servercommand executes things): sm_kick lol then it runs quit
Quit in a server console shuts the server down.

Edit2: Your using an indeterminate loop to do a what for can do(which for is determinate)

[Darkness_]

PHP Code:

ServerCommand("sm_kick %N", target_list[i]); 


to

PHP Code:

KickClient(target_list[i], "kick reason); 


[Brrdy]

Quote:

Originally Posted by WildCard65 ya, atm I would recommend pushing a hotfix to the whole servercommand thing as it put servers that decide to use this plugin at risk of command injection. I would recommend IMMEDIATELY change from using servercommand to kickclient as sm_kick uses that native. Edit: Example of command injection with your plugin: sm_fakevac lol;quit would turn into this: sm_kick lol;quit which in turn turns into these commands(as ; in source is a delimeter to serperate commands in console which is where servercommand executes things): sm_kick lol then it runs quit Quit in a server console shuts the server down. Edit2: Your using an indeterminate loop to do a what for can do(which for is determinate)

Only admins can run the cmd but anyways when I tried using KickClient it wouldn't work idk why but Ill try it again in a bit not on pc atm

[Mitchell]

Quote:

Originally Posted by Brrdy Only admins can run the cmd but anyways when I tried using KickClient it wouldn't work idk why but Ill try it again in a bit not on pc atm

It wouldnt matter if only an admin can run it, what if you did the command on a player with the name "baddie;rcon_password hi" the server command will do
ServerCommand("sm_kick baddie;rcon_password hi"), setting the server's rcon_password to what ever he wants.

[Drixevel]

For those wanting a cleaned up version with the exploit fixed, download the following version:

[Pohearts]

looks like c+p code..

also, shouldn't you use \x07 instead of {red} so it require less dependency for such a simple plugin?