Raised This Month: $4 Target: $400
 1% 

Hi little request to moderators


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Abdulrazzaq
Member
Join Date: Oct 2019
Location: NZ
Old 08-28-2020 , 12:15   Hi little request to moderators
Reply With Quote #1

delete this

Last edited by Abdulrazzaq; 08-30-2020 at 01:35.
Abdulrazzaq is offline
HamletEagle
AMX Mod X Plugin Approver
Join Date: Sep 2013
Location: Romania
Old 08-28-2020 , 15:21   Re: Hi little request to moderators
Reply With Quote #2

I don't see any problems with the code for multiple reasons:
1. get_user_info is a native that has legitimate uses and "_pw" is just like any other client info values which can be retrieved.
2. The default admin system from AMXX does this in order to implement the password functionality for admins.
3. Server owners supposed to change amx_password_field to something unique, in order to prevent(to some extent) password leaks.

The code itself is fine and even if we delete it, if someone has half a brain he can extract it from admin.sma or figure out how to write such trivial code on his own.
However, what you can argue about is the insecure admin system design because of the usage of client info to store passwords. And even then, it's not like you have no other options:
-listen to the warning from amxx.cfg and change the setinfo field from _pw to something else
-use steamids instead of name + password for your admins. There's absolutely 0 reason not to use steamids in a steam only server. Therefore, the exploit is mostly a non-steam issue.

"But why does amxx allow password logins if I'm supposted to use steamids?"
The option is there if you want to use it and accept the risks and for compatibility reasons(it can not be removed because amxx must remain backwards compatible). A much safer alternative exists, people should use it. If they don't, it's their own fault.
__________________
HamletEagle is offline
Abdulrazzaq
Member
Join Date: Oct 2019
Location: NZ
Old 08-29-2020 , 08:48   Re: Hi little request to moderators
Reply With Quote #3

Quote:
Originally Posted by HamletEagle View Post
I don't see any problems with the code for multiple reasons:
1. get_user_info is a native that has legitimate uses and "_pw" is just like any other client info values which can be retrieved.
2. The default admin system from AMXX does this in order to implement the password functionality for admins.
3. Server owners supposed to change amx_password_field to something unique, in order to prevent(to some extent) password leaks.

The code itself is fine and even if we delete it, if someone has half a brain he can extract it from admin.sma or figure out how to write such trivial code on his own.
However, what you can argue about is the insecure admin system design because of the usage of client info to store passwords. And even then, it's not like you have no other options:
-listen to the warning from amxx.cfg and change the setinfo field from _pw to something else
-use steamids instead of name + password for your admins. There's absolutely 0 reason not to use steamids in a steam only server. Therefore, the exploit is mostly a non-steam issue.

"But why does amxx allow password logins if I'm supposted to use steamids?"
The option is there if you want to use it and accept the risks and for compatibility reasons(it can not be removed because amxx must remain backwards compatible). A much safer alternative exists, people should use it. If they don't, it's their own fault.
yes i know but alot of ppl don't know anything about coding ...they can't even change access level or flag ....but they can get it easily from here ...and i know alot of things can be done to prevent this ....but almost of servers are using default settings 70 percent of them won't do any changes ...so that's why i request you to delete this code atleast ...the ediots won't get the code to hack setinfo like that .....yeah ppl with brain can make this for sure ...i have scripters friends too they can make these kinda code easily but ....those ppl who don't have that much brain and don't know how to code will also get it easily ....

hope you understand my point
if you delete that it will be good
i already made changes in my setinfo system so they can't hack pw of mine
but yeah they can still hack others ....
Abdulrazzaq is offline
fysiks
Veteran Member
Join Date: Sep 2007
Location: Flatland, USA
Old 08-29-2020 , 15:34   Re: Hi little request to moderators
Reply With Quote #4

We should just turn off the internet then too.
__________________
fysiks is offline
thEsp
Veteran Member
Join Date: Aug 2017
Old 08-29-2020 , 16:03   Re: Hi little request to moderators
Reply With Quote #5

Are you talking about https://forums.alliedmods.net/showpo...43&postcount=7 onwards?

:wink:
thEsp is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 20:51.


Powered by vBulletin®
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Theme made by Freecode