Official Soldat Forums
Official Content => News => Topic started by: chrisgbk on March 08, 2007, 01:55:44 pm
-
IMPORTANT: THIS FLAW CAN BE ABUSED TO DOWNLOAD -ANY- FILE OFF THE SERVER; USING RELATIVE PATHS IT'S POSSIBLE FOR SOMEONE TO DOWNLOAD SUCH THINGS AS PHP FILES THAT CONTAIN PASSWORDS FOR ROOT SERVER ACCESS. DISABLE FILE TRANSFER IMMEDIATELY UNTIL YOU UPGRADE!
A recent flaw with file sending has been discovered, that allows attackers to send a specially crafted string to the server and get your soldat.ini, and thus, your admin password. A fix has been released; see this topic (http://forums.soldat.pl/index.php?topic=11623.0).
-
GJ Enesce we trust in you.
-
:-X
-
:x :x
-
Just wondering, how many different versions does this bug affect?
Hope it hasn't been around that long.
-
Just wondering, how many different versions does this bug affect?
Hope it hasn't been around that long.
Every version of the server that has file transfers is affected, even versions prior to 2.5.0. It's surprising that no one found this flaw earlier.
-
Just wondering, how many different versions does this bug affect?
Hope it hasn't been around that long.
Every version of the server that has file transfers is affected, even versions prior to 2.5.0. It's surprising that no one found this flaw earlier.
How was this flaw found then? :o
-
Just wondering, how many different versions does this bug affect?
Hope it hasn't been around that long.
Every version of the server that has file transfers is affected, even versions prior to 2.5.0. It's surprising that no one found this flaw earlier.
How was this flaw found then? :o
Well, I kind of can't tell you that without giving you details on how it works. But it's so simple, that I can't believe no one thought of it before, either to abuse it, or patch it.
READ THE NEW WARNING AT THE TOP OF THE ORIGINAL POST
-
<_< I was just about to leave the forums when I saw the new reply to the thread by you. I'm glad I didn't; I have personal files on my server.
Thanks for the update.
-
Hmm.. since almost all my maps are custom I prefer to keep my servers down until patch released.
-
Patch released.
-
gj :D
-
Locked, since the newest server patch that addresses the issue is out, and no other information on this is currently necessary.