[Abdulrazzaq]

delete this

[HamletEagle]

I don't see any problems with the code for multiple reasons:
1. get_user_info is a native that has legitimate uses and "_pw" is just like any other client info values which can be retrieved.
2. The default admin system from AMXX does this in order to implement the password functionality for admins.
3. Server owners supposed to change amx_password_field to something unique, in order to prevent(to some extent) password leaks.

The code itself is fine and even if we delete it, if someone has half a brain he can extract it from admin.sma or figure out how to write such trivial code on his own.
However, what you can argue about is the insecure admin system design because of the usage of client info to store passwords. And even then, it's not like you have no other options:
-listen to the warning from amxx.cfg and change the setinfo field from _pw to something else
-use steamids instead of name + password for your admins. There's absolutely 0 reason not to use steamids in a steam only server. Therefore, the exploit is mostly a non-steam issue.

"But why does amxx allow password logins if I'm supposted to use steamids?"
The option is there if you want to use it and accept the risks and for compatibility reasons(it can not be removed because amxx must remain backwards compatible). A much safer alternative exists, people should use it. If they don't, it's their own fault.

[Abdulrazzaq]

Quote:

Originally Posted by HamletEagle I don't see any problems with the code for multiple reasons: 1. get_user_info is a native that has legitimate uses and "_pw" is just like any other client info values which can be retrieved. 2. The default admin system from AMXX does this in order to implement the password functionality for admins. 3. Server owners supposed to change amx_password_field to something unique, in order to prevent(to some extent) password leaks. The code itself is fine and even if we delete it, if someone has half a brain he can extract it from admin.sma or figure out how to write such trivial code on his own. However, what you can argue about is the insecure admin system design because of the usage of client info to store passwords. And even then, it's not like you have no other options: -listen to the warning from amxx.cfg and change the setinfo field from _pw to something else -use steamids instead of name + password for your admins. There's absolutely 0 reason not to use steamids in a steam only server. Therefore, the exploit is mostly a non-steam issue. "But why does amxx allow password logins if I'm supposted to use steamids?" The option is there if you want to use it and accept the risks and for compatibility reasons(it can not be removed because amxx must remain backwards compatible). A much safer alternative exists, people should use it. If they don't, it's their own fault.

yes i know but alot of ppl don't know anything about coding ...they can't even change access level or flag ....but they can get it easily from here ...and i know alot of things can be done to prevent this ....but almost of servers are using default settings 70 percent of them won't do any changes ...so that's why i request you to delete this code atleast ...the ediots won't get the code to hack setinfo like that .....yeah ppl with brain can make this for sure ...i have scripters friends too they can make these kinda code easily but ....those ppl who don't have that much brain and don't know how to code will also get it easily ....

hope you understand my point
if you delete that it will be good
i already made changes in my setinfo system so they can't hack pw of mine
but yeah they can still hack others ....

[fysiks]

We should just turn off the internet then too.

[thEsp]

Are you talking about https://forums.alliedmods.net/showpo...43&postcount=7 onwards?

:wink: