[sneaK]

Care to share how this happened so other owners here can protect themselves?

[nguyenbaodanh]

Quote:

Originally Posted by blackhawk74 Care to share how this happened so other owners here can protect themselves?

Sure, currently if we add some one as admin, without password. Hacker can easily login to the sourcebans website even we didn't set that admin as the webadmin role.
You can test on your sourceban now,
just enter the admin username - don't need to enter any password.
Bang
you've have logged in as a website admin...

That's how my site got hacked :\ ...
He'd looked into my sb banlist and test each user until he found one server root admin that I've set without password to log on the website
(my server roles > mod > smod >root and webADMIN is for the sourcebans login )

RIP me.

But I've fixed anyway. Thanks him for that.
If someone here using this and used to set admins in the server without web login password. YOU SHOULD FIX

[shanapu]

Quote:

Originally Posted by nguyenbaodanh Sure, currently if we add some one as admin, without password. ~ just enter the admin username - don't need to enter any password. Bang you've have logged in as a website admin... ~ If someone here using this and used to set admins in the server without web login password. YOU SHOULD FIX

I can reproduce this :/

[Cooky]

Quote:

Originally Posted by shanapu I can reproduce this :/

Same, but only if we add the user through Sourcebans itself. We have our own built store/admin system, which places users directly into the correct tables. By doing that I can't reproduce...

Some serious leak indeed...

[sneaK]

This should've been temp "fixed" in a more recent commit, the patch fix was only allowing login through steam, so the manual user login/password boxes are removed.

Edit: Here's the commit from almost 1 year ago: https://github.com/sbpp/sourcebans-p...f66c9b3618589a

Adds this option:

You guys should definitely update asap, there have been some security fixes since, such as this important one.

[nguyenbaodanh]

Quote:

Originally Posted by blackhawk74 This should've been temp "fixed" in a more recent commit, the patch fix was only allowing login through steam, so the manual user login/password boxes are removed. Edit: Here's the commit from almost 1 year ago: https://github.com/sbpp/sourcebans-p...f66c9b3618589a Adds this option: You guys should definitely update asap, there have been some security fixes since, such as this important one.

Any instructions to use the steam login one?

[sneaK]

Quote:

Originally Posted by nguyenbaodanh Any instructions to use the steam login one?

I would just download + replace all files from the latest commit.

[lay295]

I just used this MySQL query to temp fix the logins for now until it's fixed.

Code:

UPDATE sb_admins SET 'password' = replace('password', '1fcc1a43dfb4a474abb925f54e65f426e932b59e', '');

It'll give you this error box when you try and login



However you'll need to manually wipe new users of their passwords until it's fixed.

[JackHammer20]

Quote:

Originally Posted by blackhawk74 I would just download + replace all files from the latest commit.

Do you mean from the Dev version? (1.5.5-dev)

[Cooky]

Quote:

Originally Posted by JackHammer20 Do you mean from the Dev version? (1.5.5-dev)

Or stable version, yes.