[drhydralisk]

I did inform the guinea pigs.. And posting security notices public is how its done. You are confusing posting a proof of concepts before everyone has a chance to patch, that is the bad one.

[Chanz]

Quote:

Originally Posted by drhydralisk I did inform the guinea pigs.. And posting security notices public is how its done. You are confusing posting a proof of concepts before everyone has a chance to patch, that is the bad one.

We never received from you anything about commtools.
And if you didn't get an answer from us you shouldn't have had tested this stuff on us or any other community/server that runs commtools.

I don't break into your house and tell everyone at kindergardens meeting that you left open your window for a week.

Posting such things in a public forum is just stupid. It makes it easier for script kiddys to attack servers.

PS: I would never install a webinterface or plugin from someone who is new and tells around security bugs in public forums, you should have contacted the plugin author and if he didn't respond, you should have contacted a Sourcemod dev to disapprove this plugin.

[LordVader!]

Well thanks for at least letting me know and not releasing this (that we know : ). No offence but can someone take a look at the source code (just posted) and give it a 2nd opinion maybe something else was missed?


EDIT: I also never received any email.

[violentcrimes]

I never received any email or notice from you either. I run Convict Gaming.

[berni]

I unapproved the plugin for now until all of the serious security holes are gone.

I also banned this guy drhydralisk from my servers for hacking into our servers without asking me first. His IP address is 76.20.11.192 if anyone wants to ban him too.

I also requested a forum ban here for posting details on how to exploit this software and stating that he hacked allot of servers.

Greetings ~Berni

[strontiumdog]

I'll talk to HSFighter and get him to incorporate the plugin into his WebAdmin interface.

[violentcrimes]

It's amazing that it isn't incorporated into sourcebans yet.

[KyleS]

I'd love to be able to use this, I had no idea it existed up until now.

If this was incorporated into SourceBans it would absolutely make my day.

[drhydralisk]

Quote:

Originally Posted by Chanz We never received from you anything about commtools. And if you didn't get an answer from us you shouldn't have had tested this stuff on us or any other community/server that runs commtools. I don't break into your house and tell everyone at kindergardens meeting that you left open your window for a week. Posting such things in a public forum is just stupid. It makes it easier for script kiddys to attack servers. PS: I would never install a webinterface or plugin from someone who is new and tells around security bugs in public forums, you should have contacted the plugin author and if he didn't respond, you should have contacted a Sourcemod dev to disapprove this plugin.

I never posted details on how the injection is done. So I posted a patch telling there are exploits in this script, or should i have just said nothing and tell you guys you need this patch but I can't tell you what it does.

Quote:

Originally Posted by LordVader! Well thanks for at least letting me know and not releasing this (that we know : ). No offence but can someone take a look at the source code (just posted) and give it a 2nd opinion maybe something else was missed?

I will not release the PoC until there is an official patch, or it has been to long and there is no official patch.

Quote:

Originally Posted by violentcrimes I never received any email or notice from you either. I run Convict Gaming.

I send an email to what email I was able to find, either through one found on a contact page or what of the emails from the database.

Quote:

Originally Posted by berni I unapproved the plugin for now until all of the serious security holes are gone. I also banned this guy drhydralisk from my servers for hacking into our servers without asking me first. His IP address is 76.20.11.192 if anyone wants to ban him too. I also requested a forum ban here for posting details on how to exploit this software and stating that he hacked allot of servers. Greetings ~Berni

Sorry, but needed to see who was effected, I didn't do anything with the info so clam down (if your so worried maybe don't use such simple passwords that took only a second to search for the hash). And AGAIN I did not post details on how to do the exploit, so stop saying that I posted them. Maybe a little thanks or just stop flaming me if you don't want to say thanks, 0days are worth money so I could have just as easily sold it, but since I play source games I chose not to.

And I no I am new and you don't trust the patch, I have done one for sourcebans as well http://sourcebans.net/content/sourcebans-145-released and soon to be another one since I just found a persistent xss (get admin login)

[violentcrimes]

I think the point is you didn't ask any of us before hand, it would be like robbing a bank to make sure the security is good.