AlliedModders - [Release] SourceBans++ (v1.6.4) [Updated: 2021-10-06]

Sure, currently if we add some one as admin, without password. Hacker can easily login to the sourcebans website even we didn't set that admin as the webadmin role.
You can test on your sourceban now,
just enter the admin username - don't need to enter any password.
Bang
you've have logged in as a website admin...

That's how my site got hacked :\ ...
He'd looked into my sb banlist and test each user until he found one server root admin that I've set without password to log on the website
(my server roles > mod > smod >root and webADMIN is for the sourcebans login )

RIP me.

But I've fixed anyway. Thanks him for that.
If someone here using this and used to set admins in the server without web login password. YOU SHOULD FIX

shanapu

04-11-2017 14:20

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by nguyenbaodanh (Post 2511316)

Sure, currently if we add some one as admin, without password. ~
just enter the admin username - don't need to enter any password.
Bang
you've have logged in as a website admin...
~
If someone here using this and used to set admins in the server without web login password. YOU SHOULD FIX

I can reproduce this :/

Cooky

04-11-2017 14:37

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by shanapu (Post 2511322)

I can reproduce this :/

Same, but only if we add the user through Sourcebans itself. We have our own built store/admin system, which places users directly into the correct tables. By doing that I can't reproduce...

Some serious leak indeed...

sneaK

04-11-2017 16:13

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

This should've been temp "fixed" in a more recent commit, the patch fix was only allowing login through steam, so the manual user login/password boxes are removed.

Edit: Here's the commit from almost 1 year ago: https://github.com/sbpp/sourcebans-p...f66c9b3618589a

Adds this option: http://i.imgur.com/U4d0eC9.jpg

You guys should definitely update asap, there have been some security fixes since, such as this important one.

nguyenbaodanh

04-12-2017 00:19

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by blackhawk74 (Post 2511364)

Any instructions to use the steam login one?

sneaK

04-12-2017 02:00

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by nguyenbaodanh (Post 2511453)

Any instructions to use the steam login one?

I would just download + replace all files from the latest commit.

lay295

04-12-2017 02:35

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

I just used this MySQL query to temp fix the logins for now until it's fixed.

Code:

UPDATE sb_admins SET 'password' = replace('password', '1fcc1a43dfb4a474abb925f54e65f426e932b59e', '');

It'll give you this error box when you try and login

http://i.imgur.com/dXaTier.png

However you'll need to manually wipe new users of their passwords until it's fixed.

JackHammer20

04-12-2017 07:09

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by blackhawk74 (Post 2511463)

I would just download + replace all files from the latest commit.

Do you mean from the Dev version? (1.5.5-dev)

Cooky

04-12-2017 07:16

Re: [RELEASE] SourceBans++ (v1.5.4.7) [Updated: 2016-04-28]

Quote:

Originally Posted by JackHammer20 (Post 2511510)