Raised This Month: $49 Target: $400
 12% 

a little help | modify plugin


Post New Thread Reply   
 
Thread Tools Display Modes
redivcram
Veteran Member
Join Date: Jul 2014
Location: Serbia
Old 11-28-2019 , 10:13   Re: a little help | modify plugin
Reply With Quote #21

Quote:
Originally Posted by ^SmileY View Post
Again, nobody can provide a practical example how _pw can be stolen.
"_pw" cannot be stolen. Unless:

• The password is genuinely easy to guess.
• The clumsy user has posted it somewhere by accident for everyone to see.
• An admin or owner that has access to the server's database has exploited it.
• There's a plugin with roles to read files from the server with a bug that enables users to read database files (I would re-check my plugins and where I got them from, then check their source).
• The server's database has been exploited by a haxz0r.

And one most important way:

• The user's _pw is saved on anything other than the Steam ID, or IP Address (Unviable).

Last edited by redivcram; 11-28-2019 at 10:16.
redivcram is offline
OciXCrom
Veteran Member
Join Date: Oct 2013
Location: Macedonia
Old 11-28-2019 , 10:37   Re: a little help | modify plugin
Reply With Quote #22

@redivcram - the "_pw" password is not hidden in any way. Anyone with access to the server's console can see it without even using any plugins, so it can be very easily stolen. Not to mention it takes only 2 lines of AMXX plugin code to see it in-game as well.
__________________

Last edited by OciXCrom; 11-28-2019 at 10:38.
OciXCrom is offline
Send a message via Skype™ to OciXCrom
redivcram
Veteran Member
Join Date: Jul 2014
Location: Serbia
Old 11-28-2019 , 10:51   Re: a little help | modify plugin
Reply With Quote #23

Quote:
Originally Posted by OciXCrom View Post
@redivcram - the "_pw" password is not hidden in any way. Anyone with access to the server's console can see it without even using any plugins, so it can be very easily stolen.
There's still no evidence of how one can do such.
redivcram is offline
^SmileY
Veteran Member
Join Date: Jan 2010
Location: Brazil [<o>]
Old 11-28-2019 , 12:19   Re: a little help | modify plugin
Reply With Quote #24

Anyway there is the point, need to access 'hack' the server to stolen _pw field.
So the setinfo is the minor of problems in this case lol.

For me do not make any sense the excuse that setinfo _pw is exposed to someone in the server, since who have access to edit/upload plugins also have access to users.ini in amxx.

That said, use a steam id or hide _pw when player enter in a server is a complete mistake when you think in this way.
__________________
Projects:

- See my Git Hub: https://github.com/SmileYzn
PHP Code:
set_pcvar_num(pCvar, !get_pcvar_num(pCvar)); 
^SmileY is offline
Send a message via MSN to ^SmileY Send a message via Skype™ to ^SmileY
redivcram
Veteran Member
Join Date: Jul 2014
Location: Serbia
Old 11-28-2019 , 12:56   Re: a little help | modify plugin
Reply With Quote #25

I still did not catch OciXCrom. Using what method could you possibly exploit users.ini through a server console??
redivcram is offline
OciXCrom
Veteran Member
Join Date: Oct 2013
Location: Macedonia
Old 11-28-2019 , 14:53   Re: a little help | modify plugin
Reply With Quote #26

@^SmileY - even though seeing your own players' passwords when you're the owner doesn't make sense, once you enter the password via "setinfo", any other server you visit has access to your password as well.

@redivcram - check your PM.
__________________
OciXCrom is offline
Send a message via Skype™ to OciXCrom
^SmileY
Veteran Member
Join Date: Jan 2010
Location: Brazil [<o>]
Old 11-28-2019 , 18:19   Re: a little help | modify plugin
Reply With Quote #27

Quote:
Originally Posted by OciXCrom View Post
@^SmileY - even though seeing your own players' passwords when you're the owner doesn't make sense, once you enter the password via "setinfo", any other server you visit has access to your password as well.

@redivcram - check your PM.
Player just, need to remove setinfo _pw from config.
Is the same security risk of visit's different sites with same password.
__________________
Projects:

- See my Git Hub: https://github.com/SmileYzn
PHP Code:
set_pcvar_num(pCvar, !get_pcvar_num(pCvar)); 
^SmileY is offline
Send a message via MSN to ^SmileY Send a message via Skype™ to ^SmileY
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:11.


Powered by vBulletin®
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Theme made by Freecode