SSMS - Sourcemod Server Management System - Page 6

snelvuur · 01-14-2012 , 14:18 Re: SSMS - Sourcemod Server Management System

Its almost as if your user doesn't have write rights on the database, can you verify that?

Proud · 01-14-2012 , 14:20 Re: SSMS - Sourcemod Server Management System

the account details seem to allow updates etc in phpmyadmin

Proud · 01-14-2012 , 14:21 Re: SSMS - Sourcemod Server Management System

also its added some details to the servers table, IP, port, Rcon etc

snelvuur · *Last edited by snelvuur; 01-14-2012 at 14:50.*

Are you running the php stuff from a linux pc or windows? I do see a issue though that when you add a server and it fails, it will still add the entry. I think it would be wise not to add anything then.

But you said that if you go use rcon, then it works. I also assume its a sourced game from any of those in the list of games from your db.

Proud · 01-14-2012 , 15:06 Re: SSMS - Sourcemod Server Management System

linux box, and yus its tf2 servers im adding

snelvuur · 01-14-2012 , 15:11 Re: SSMS - Sourcemod Server Management System

Any chance i can add that server to my list too, i just installed the tool fresh in a seperate directory and added a random server of tf2 to it and it works fine here.

Obsidian · *Last edited by Obsidian; 01-14-2012 at 16:13.*

crossposting from hlds_linux mailing list (about this application):

http://www.mail-archive.com/hlds_lin.../msg66099.html

Quote:

Re: [hlds_linux] hlds_linux Digest, Vol 47, Issue 30
Damian Bushong
Sat, 14 Jan 2012 12:49:18 -0800

I'm going to be brutally honest.
This code is not suitable for public use, at all.

First file I opened, first lines I read are a massive red flag.
see: https://github.com/Snelvuur/SSMS/blo.../addserver.php lines 15-23.
Data is being taken from the $_POST superglobal and inserted into serveral
variables
Scroll down to about line 74. These previously referenced variables are
being inserted directly into a mysql_query unsanitized.

see: https://github.com/Snelvuur/SSMS/blo...r/rcon.php#L47
Data directly from $_GET is being used directly in a query, once again
unsanitized. Plus, there's zero authentication in place for the "rcon.php"
page itself, so virtually anyone can just waltz right in and start firing
off RCON commands to the server, no matter who it is. Don't assume that
"nobody can see the site, it's safe" - google has a way of finding these
things, and script kiddies have their own way of following google in as
well.

You have multiple SQL injections throughout the code, and I only opened
three files to look. XSS looks prevalent throughout, CSRF is easily
possible, and at this rate I'm betting there's going to be a shell_exec()
or an eval() vuln as well somewhere.

http://lmgtfy.com/?q=mysql+sanitize+inputs+php
^ Start reading.

To those who've installed this application, remove it *immediately*.

snelvuur · 01-14-2012 , 16:40 Re: SSMS - Sourcemod Server Management System

Like it says on the readme, use a .htaccess/.htpasswd to secure it. It was build for public use.

Its not like this tool will face the web without .htaccess (that would be foolish) its not like http://forums.alliedmods.net/showthread.php?t=150731 ..

duydangle · 01-14-2012 , 21:09 Re: SSMS - Sourcemod Server Management System

Quote:

Originally Posted by snelvuur

Ah, windows support. I actually didn't think of running php and such on a windows box (didn't test that) but it looks like its coming from the steam library. I'll see if i can ask the author of the library to take a look.

Actually I am running this on a linux box, but I don't have ssh, just directadmin with cronjobs (same as crontab). I added this script on cronjobs. First it works very well. But then it doesn't work anymore, all servers are not updated.. Then I test the script on my windows server. As you can see in the attachment, something went wrong when the script check version. I comment out the checkversion() then all servers are updated now :/

snelvuur · *Last edited by snelvuur; 01-14-2012 at 21:25.*

Fatal error: Uncaught exception 'Exception' with message 'Could not read from socket.' in /home/lethal/public_html/admin/steam-condenser/lib/Socket.php:109
Stack trace:
#0 /home/lethal/public_html/admin/steam-condenser/lib/steam/sockets/SteamSocket.php(113): Socket->recv(1500)
#1 /home/lethal/public_html/admin/steam-condenser/lib/steam/sockets/MasterServerSocket.php(30): SteamSocket->receivePacket(1500)
#2 /home/lethal/public_html/admin/steam-condenser/lib/steam/servers/MasterServer.php(125): MasterServerSocket->getReply()
#3 /home/lethal/public_html/admin/servers.php(82): MasterServer->getChallenge()
#4 /home/lethal/public_html/admin/servers.php(436): checkversion()
#5 {main}
thrown in /home/lethal/public_html/admin/steam-condenser/lib/Socket.php on line 109

I also get these errors now, if i run servers.php again it seems to be gone and sometimes its back. I assume its a steam/valve issue at the moment. First time i see this though. (hopefully will fix itself)

p.s. i moved the steamcondenser to its own directory so its now added on github as a submodule (easier to keep that one up to date then too)