Author Topic: sv_allowupload/download safe again? (Read 8675 times)

Bryantdl7 · « **on:** December 26, 2014, 07:04:25 PM »

Since the epic vin'll fix it hack I have sv_allowupload 0 and sv_allowdownload 0. the one problem im noticing is sprays dont like to show with those settings set up. Are they still major security risks?

MrPresident · « **Reply #1 on:** December 26, 2014, 07:37:04 PM »

This was patched pretty quickly. You should be safe to enable them again.

JamminR · « **Reply #2 on:** December 26, 2014, 09:04:07 PM »

I'm of the opinion though that, since I've seen at least 5 exploits due to those functions in the past 10 years, if sprays is all you want them for, it's not worth the risk of some yet unknown to use malicious use of them.
But, I'm a paranoid IT geek.

MrPresident · « **Reply #3 on:** December 26, 2014, 11:34:24 PM »

This is exactly why those vars are still disabled in my server. They were disabled before the exploit as well, which is why we were also unaffected.

Avoid · « **Reply #4 on:** December 27, 2014, 07:25:54 AM »

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]

Sprays Fix
Description: I've released it before but I'll do it again, this  prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.

Hope this helps,
Avoid

Neku · « **Reply #5 on:** December 27, 2014, 05:09:56 PM »

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid

Huh, didn't know that existed.

Nice signature btw.

Bryantdl7 · « **Reply #6 on:** December 28, 2014, 03:41:57 PM »

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid

I'm gonna try this now and edit with my results.

Sgt.Blue · « **Reply #7 on:** January 02, 2015, 02:05:49 PM »

Was there ever any benefit to having the Cvars enabled in the first place?

JamminR · « **Reply #8 on:** January 02, 2015, 03:58:15 PM »

Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.

PAL-18 · « **Reply #9 on:** January 03, 2015, 01:15:15 AM »

If you want your spray to still appear but you also want to stay secure, here's a way i discovered:

Set sv_allowupload and sv_allowdownload to 1 and restart the server.
Set up your game to use your custom spray.
Connect to your server and it will download the spray.
Set sv_allowupload and sv_allowdownload to 0 and restart the server.
Profit from you being the only player with a custom spray.

Note: If you change your spray, you'll need to do the above again.

MrPresident · « **Reply #10 on:** January 03, 2015, 01:11:04 PM »

Quote from: JamminR on January 02, 2015, 03:58:15 PM

Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.

Just to break it down a little bit more:

sv_allowdownload allows players to download assets from a server (assuming they've added them to the list of things to be downloaded) if the server is NOT using FastDL.
sv_allowupload allows players to upload custom sprays.

If a server is using FastDL (sv_downloadurl) then sv_allowdownload is ignored and does nothing.

There have been exploits in the past with sv_allowupload and it's safe to just have it turned off if you don't care about sprays in your server.

Bryantdl7 · « **Reply #11 on:** January 15, 2015, 07:02:16 AM »

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here

Code: [Select]
Sprays Fix Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid

thanks for showing me this avoid, but because I lack the time/smartness to figure it out I can't figure out why sprays won't show at all, with re-enabling sv_allowupload and sv_allowdownload sprays still do not work, don't ask me why as I said I don't have the time or the smartness to figure it out.

As far as the library itself goes, I cannot say if it works since sprays just won't work in general for me!

I think I will just lay sprays to rest and prevent the risk of getting hacked for a 7th time, lol.

Ulysses

Author Topic: sv_allowupload/download safe again? (Read 8675 times)

Bryantdl7

sv_allowupload/download safe again?

MrPresident

Re: sv_allowupload/download safe again?

JamminR

Re: sv_allowupload/download safe again?

MrPresident

Re: sv_allowupload/download safe again?

Avoid

Re: sv_allowupload/download safe again?

Neku

Re: sv_allowupload/download safe again?

Bryantdl7

Re: sv_allowupload/download safe again?

Sgt.Blue

Re: sv_allowupload/download safe again?

JamminR

Re: sv_allowupload/download safe again?

PAL-18

Re: sv_allowupload/download safe again?

MrPresident

Re: sv_allowupload/download safe again?

Bryantdl7

Re: sv_allowupload/download safe again?