a little help | modify plugin - Page 3

redivcram · *Last edited by redivcram; 11-28-2019 at 09:16.*

Quote:

Originally Posted by ^SmileY

Again, nobody can provide a practical example how _pw can be stolen.

"_pw" cannot be stolen. Unless:

• The password is genuinely easy to guess.
• The clumsy user has posted it somewhere by accident for everyone to see.
• An admin or owner that has access to the server's database has exploited it.
• There's a plugin with roles to read files from the server with a bug that enables users to read database files (I would re-check my plugins and where I got them from, then check their source).
• The server's database has been exploited by a haxz0r.

And one most important way:

• The user's _pw is saved on anything other than the Steam ID, or IP Address (Unviable).

OciXCrom · *Last edited by OciXCrom; 11-28-2019 at 09:38.*

@redivcram - the "_pw" password is not hidden in any way. Anyone with access to the server's console can see it without even using any plugins, so it can be very easily stolen. Not to mention it takes only 2 lines of AMXX plugin code to see it in-game as well.

redivcram · 11-28-2019 , 09:51 Re: a little help | modify plugin

Quote:

Originally Posted by OciXCrom

@redivcram - the "_pw" password is not hidden in any way. Anyone with access to the server's console can see it without even using any plugins, so it can be very easily stolen.

There's still no evidence of how one can do such.

^SmileY · 11-28-2019 , 11:19 Re: a little help | modify plugin

Anyway there is the point, need to access 'hack' the server to stolen _pw field.
So the setinfo is the minor of problems in this case lol.

For me do not make any sense the excuse that setinfo _pw is exposed to someone in the server, since who have access to edit/upload plugins also have access to users.ini in amxx.

That said, use a steam id or hide _pw when player enter in a server is a complete mistake when you think in this way.

redivcram · 11-28-2019 , 11:56 Re: a little help | modify plugin

I still did not catch OciXCrom. Using what method could you possibly exploit users.ini through a server console??

OciXCrom · 11-28-2019 , 13:53 Re: a little help | modify plugin

@^SmileY - even though seeing your own players' passwords when you're the owner doesn't make sense, once you enter the password via "setinfo", any other server you visit has access to your password as well.

@redivcram - check your PM.

^SmileY · 11-28-2019 , 17:19 Re: a little help | modify plugin

Quote:

Originally Posted by OciXCrom

@^SmileY - even though seeing your own players' passwords when you're the owner doesn't make sense, once you enter the password via "setinfo", any other server you visit has access to your password as well.

@redivcram - check your PM.

Player just, need to remove setinfo _pw from config.
Is the same security risk of visit's different sites with same password.