FAQ FAQ   Search Search  Register Register   Login Login  
   Main Site   Wiki  



Post new topic Reply to topic  [ 2 posts ] 

Author Message
 PostPosted: Sat Mar 25, 2006 10:13 pm  Post subject: And another security vulnerability...
Offline
God & Project Admin
User avatar

Joined: Sun Jan 23, 2005 6:01 pm
Posts: 10543
Location: Cologne, Jabber: z-man@amessage.de
Affected are servers with an ingame admin password set.
Affected versions: all 0.2.8* up to 0.2.8.0.
Workaround: Set ADMIN_PASS back to NONE.
Fixed in: 0.2.8.1 and 0.2.8_alpha20060319.

This time, it's file reading, not writing. By basically the same error as last time, file paths read from were not checked for ../ components. An ingame administrator can say
Code:
/admin include ../../path/to/some/interesting.file

and the server will try to read settings from it. The first word on every line will be interpreted as a command, and if it is an invalid command, an error message containing the word will be presented to the user.

So, effectively, the ingame admin can read the first word on every line of every file the user running the server has access to. Some very important files only have one word per line...

In the default Unix setup with a dedicated user running the server, the error is mostly harmless. That user does not have read access to sensible data, unless you have world readable files with sensitive content on your system. Stock Unix distributions usually don't.

Nevertheless, I'd advise all server administrators of 0.2.8 servers who have not already upgraded to 0.2.8_alpha20060319 to get and install 0.2.8.1 or to disable ingame admin access. This also applies if you thrust your ingame admins perfectly; the interface is not cryptographically secured, so the password can be stolen or people can inject commands whenever someone is logged in.

Keen observers will notice that we should have thought about this when we found the MAP_FILE exploit. They're right. Sorry about that.

Only the OSX build of 0.2.8.1 is missing, but the only one running an OSX server is nemostultae himself, and the server appears to be of an unaffected version. Usually, we'd wait for all platforms to have updated builds available before we disclose security problems.

Tank: could you move this to the News forum again, and update the main webpage?


Top
Profile
 
 PostPosted: Sun Mar 26, 2006 10:45 am  Post subject:
Offline
Forum & Project Admin, MEng
User avatar

Joined: Thu Dec 18, 2003 7:03 pm
Posts: 6566
Location: /home/sweden
Site updated.

_________________
Image
Armapitron, a Raspberry Pi port of Armagetron.


Top
Profile
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by two camels and phpBB © 2000, 2002, 2005, 2007 phpBB Group