ULX

Author Topic: sv_allowupload/download safe again?  (Read 9456 times)

0 Members and 1 Guest are viewing this topic.

Offline Bryantdl7

  • Jr. Member
  • **
  • Posts: 86
  • Karma: -2
sv_allowupload/download safe again?
« on: December 26, 2014, 07:04:25 PM »
Since the epic vin'll fix it hack I have sv_allowupload 0 and sv_allowdownload 0. the one problem im noticing is sprays dont like to show with those settings set up. Are they still major security risks?



Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: sv_allowupload/download safe again?
« Reply #1 on: December 26, 2014, 07:37:04 PM »
This was patched pretty quickly. You should be safe to enable them again.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: sv_allowupload/download safe again?
« Reply #2 on: December 26, 2014, 09:04:07 PM »
I'm of the opinion though that, since I've seen at least 5 exploits due to those functions in the past 10 years, if sprays is all you want them for, it's not worth the risk of some yet unknown to use malicious use of them.
But, I'm a paranoid IT geek.

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: sv_allowupload/download safe again?
« Reply #3 on: December 26, 2014, 11:34:24 PM »
This is exactly why those vars are still disabled in my server. They were disabled before the exploit as well, which is why we were also unaffected.

Offline Avoid

  • Full Member
  • ***
  • Posts: 142
  • Karma: 42
Re: sv_allowupload/download safe again?
« Reply #4 on: December 27, 2014, 07:25:54 AM »
Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.

Hope this helps,
Avoid :)

Offline Neku

  • Hero Member
  • *****
  • Posts: 549
  • Karma: 27
Re: sv_allowupload/download safe again?
« Reply #5 on: December 27, 2014, 05:09:56 PM »
Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.

Hope this helps,
Avoid :)

Huh, didn't know that existed.

Nice signature btw.
Out of the Garry's Mod business.

Offline Bryantdl7

  • Jr. Member
  • **
  • Posts: 86
  • Karma: -2
Re: sv_allowupload/download safe again?
« Reply #6 on: December 28, 2014, 03:41:57 PM »
Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.

Hope this helps,
Avoid :)
I'm gonna try this now and edit with my results.



Offline Sgt.Blue

  • Newbie
  • *
  • Posts: 47
  • Karma: 2
Re: sv_allowupload/download safe again?
« Reply #7 on: January 02, 2015, 02:05:49 PM »
Was there ever any benefit to having the Cvars enabled in the first place?

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: sv_allowupload/download safe again?
« Reply #8 on: January 02, 2015, 03:58:15 PM »
Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline PAL-18

  • Full Member
  • ***
  • Posts: 142
  • Karma: 1
Re: sv_allowupload/download safe again?
« Reply #9 on: January 03, 2015, 01:15:15 AM »
If you want your spray to still appear but you also want to stay secure, here's a way i discovered:

  • Set sv_allowupload and sv_allowdownload to 1 and restart the server.
  • Set up your game to use your custom spray.
  • Connect to your server and it will download the spray.
  • Set sv_allowupload and sv_allowdownload to 0 and restart the server.
  • Profit from you being the only player with a custom spray.

Note: If you change your spray, you'll need to do the above again.

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: sv_allowupload/download safe again?
« Reply #10 on: January 03, 2015, 01:11:04 PM »
Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.

Just to break it down a little bit more:

sv_allowdownload allows players to download assets from a server (assuming they've added them to the list of things to be downloaded) if the server is NOT using FastDL.
sv_allowupload allows players to upload custom sprays.

If a server is using FastDL (sv_downloadurl) then sv_allowdownload is ignored and does nothing.

There have been exploits in the past with sv_allowupload and it's safe to just have it turned off if you don't care about sprays in your server.

Offline Bryantdl7

  • Jr. Member
  • **
  • Posts: 86
  • Karma: -2
Re: sv_allowupload/download safe again?
« Reply #11 on: January 15, 2015, 07:02:16 AM »

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.

Hope this helps,
Avoid :)
thanks for showing me this avoid, but because I lack the time/smartness to figure it out I can't figure out why sprays won't show at all, with re-enabling sv_allowupload and sv_allowdownload sprays still do not work, don't ask me why as I said I don't have the time or the smartness to figure it out.

As far as the library itself goes, I cannot say if it works since sprays just won't work in general for me!

I think I will just lay sprays to rest and prevent the risk of getting hacked for a 7th time, lol.