Affected versions: all 0.2.8* up to 0.2.8.0.
Workaround: Set ADMIN_PASS back to NONE.
Fixed in: 0.2.8.1 and 0.2.8_alpha20060319.
This time, it's file reading, not writing. By basically the same error as last time, file paths read from were not checked for ../ components. An ingame administrator can say
Code: Select all
/admin include ../../path/to/some/interesting.file
and the server will try to read settings from it. The first word on every line will be interpreted as a command, and if it is an invalid command, an error message containing the word will be presented to the user.
So, effectively, the ingame admin can read the first word on every line of every file the user running the server has access to. Some very important files only have one word per line...
In the default Unix setup with a dedicated user running the server, the error is mostly harmless. That user does not have read access to sensible data, unless you have world readable files with sensitive content on your system. Stock Unix distributions usually don't.
Nevertheless, I'd advise all server administrators of 0.2.8 servers who have not already upgraded to 0.2.8_alpha20060319 to get and install 0.2.8.1 or to disable ingame admin access. This also applies if you thrust your ingame admins perfectly; the interface is not cryptographically secured, so the password can be stolen or people can inject commands whenever someone is logged in.
Keen observers will notice that we should have thought about this when we found the MAP_FILE exploit. They're right. Sorry about that.
Only the OSX build of 0.2.8.1 is missing, but the only one running an OSX server is nemostultae himself, and the server appears to be of an unaffected version. Usually, we'd wait for all platforms to have updated builds available before we disclose security problems.
Tank: could you move this to the News forum again, and update the main webpage?