D-FENS - Patch for upload/download server file exploit. (Updated 05-10-2010)
2 Attachment(s)
TL;DR
This plug-in will prevent a malicious user from uploading or downloading sensitive files from your server. - This plug-in patches a security vulnerability that allows an attacker to download sensitive files, or upload files that change the behavior of your server. The servers console by default actually will echo out when a player tries to upload or download a file, but this can't be seen 99% of the time. If a client tries to upload or download an illegal file, 3 things will happen: 1. It will output to the log file "Player Name<userid><steamid><ip> requested/uploaded illegal file "filename"". 2. Their client will be maliciously crashed in an effort to slow them down. (they won't be kicked but will time out naturally) 3. The file operation will obviously, be denied. Update: Source code made available, the client crash defense mechanic has been removed as well, file operations are just logged and bad operations get blocked. Installation: Simply place the files in your addons directory, modify the VDF file depending on what engine you are using. Files with mm18 in the file name require MM 1.8, files with mm17 in the file name require MM 1.7. Update by Viper: I attached D-Fens for EP1 (CSS) and Orange box engines to the post ;) linux binaries |
Re: D-FENS - Emergency patch against downloading server files.
And here is an example of the log output during my testing.
Code:
L 11/17/2009 - 09:02:45: [D-FENS] "mihaivictor<181><STEAM_0:0:21752144>" requested file "downloads/6f78fc62.dat". |
Re: D-FENS - Emergency patch against downloading server files.
Quote:
One could also specify an rcon password only in the starting parameters and not in the server.cfg file. +rcon_password Good work, hopefully this works. |
Re: D-FENS - Emergency patch against downloading server files.
Quote:
|
Re: D-FENS - Emergency patch against downloading server files.
thanks voogru although we use ipfilter on our rcon port so they can't access it anyways
it would be nice to see who is doing it :) thanks |
Re: D-FENS - Emergency patch against downloading server files.
Quote:
|
Re: D-FENS - Emergency patch against downloading server files.
Quote:
Does the plugin block any normal clients downloads like sprays? |
Re: D-FENS - Emergency patch against downloading server files.
Quote:
|
Re: D-FENS - Emergency patch against downloading server files.
Should this work with games like Zombie Panic, AOC & INS?
|
Re: D-FENS - Emergency patch against downloading server files.
Question - I see that several user's are being blocked from downloading this .dat file.
Is this crashing their clients out when it does this or what? What's the importance of this file, to restrict it? Seeing the pure number of user's requesting this file, it must be something that is automated, and not the user doing it. |
All times are GMT -4. The time now is 04:09. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.