Author Topic: New ULX and ULib (Security advisory on previous versions!)  (Read 6384 times)

0 Members and 1 Guest are viewing this topic.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6213
  • Karma: 394
  • Project Lead
New ULX and ULib (Security advisory on previous versions!)
« on: June 19, 2007, 07:45:24 PM »
ULX 3.11 and ULib 2.05 have been released. Change logs!

ULib changelog:
Quote
   * [ADD] ply:SetUserGroup() -- Thanks aVoN!
   * [ADD] ply:DisallowVehicles( bool )
   * [FIX] A timer error in UCL, was messing up scoreboard sometimes.
   * [FIX] Security hole where exploiters could gain superadmin access
   * [CHANGE] You can assign allow/denies to the default user group, "user" now. (IE, allow guests to slap)
   * [CHANGE] DisallowSpawning now disallows tools that can spawn things.
   * [REMOVED] Old settings/users.txt stuff, handled by SetUserGroup now

ULX changelog:
Quote
   * [FIX] ulx vote. No longer public, people can't vote more than once, won't continue to hog the binds.
   * [FIX] rslots will now set rslots on dedicated server start
   * [FIX] Bring/goto getting you stuck in player sometimes.
   * [FIX] Can't use vehicles from inside a jail now.
   * [CHANGE] bring and goto now place teleporting player behind target
   * [CHANGE] Upped votemapMinvotes to 3 (was 2).
   * [CHANGE] Player physgun now only works in sandbox, lower admins can't physgun immune admins, freezes player while held.
   * [CHANGE] Unblocked custom groups from ulx adduser.

Security advisory (dedicated servers only):
There's a security hole in all previous versions of ULib/ULX that could allow a user to get superadmin access to the ULX commands. You are strongly recommended to upgrade. You can update to ULib 2.05 and keep ULX 3.10 to fix the security hole if you wish, but "ulx adduser" will break.

Download these update from http://ulyssesmod.net/
« Last Edit: June 20, 2007, 01:17:36 AM by Megiddo »
Experiencing God's grace one day at a time.

Offline TomatoSoup

  • Newbie
  • *
  • Posts: 40
  • Karma: 3
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #1 on: June 20, 2007, 07:29:53 PM »
What? Removed settings/users.txt stuff?

Whazzat mean?

We can't add people to ULX by using the settings/users.txt file anymore? Thats... well, in my opinion, not wise.

Offline atomicspark

  • Full Member
  • ***
  • Posts: 196
  • Karma: 12
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #2 on: June 20, 2007, 09:41:15 PM »
He might mean "/data/ulib/users.txt". Mine appears to be missing. ???
« Last Edit: June 21, 2007, 12:35:58 PM by atomicspark »

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6213
  • Karma: 394
  • Project Lead
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #3 on: June 20, 2007, 09:42:22 PM »
I mean the import stuff, it handles it a different way now.
Experiencing God's grace one day at a time.

Offline atomicspark

  • Full Member
  • ***
  • Posts: 196
  • Karma: 12
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #4 on: June 20, 2007, 09:46:48 PM »
Yeah. Scratch what I said before. The "/data/ulib/users.txt" showed up when I re-added someone. That means I'll have to manually add users to it or wait till they're in game. It's more work but hey if it fixes the hax, it's worth it.
« Last Edit: June 21, 2007, 12:37:21 PM by atomicspark »

Offline TomatoSoup

  • Newbie
  • *
  • Posts: 40
  • Karma: 3
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #5 on: June 21, 2007, 06:20:44 AM »
But does that fix the hack?

I'm assuming it has something to do with RCON, JamminR came on my server and used RCON to message me, telling me about the exploit.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6213
  • Karma: 394
  • Project Lead
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #6 on: June 21, 2007, 08:03:41 AM »
It still imports from users.txt, as I said.
Experiencing God's grace one day at a time.

Offline spbogie

  • Ulysses Team Member
  • Sr. Member
  • *****
  • Posts: 456
  • Karma: 41
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #7 on: June 21, 2007, 08:12:39 AM »
People listen!
data/users.txt is not related to ULib/ULX in any way.
data/ULib/users.txt is ULib's users file.
settings/users.txt is the default GarrysMod users file.

   * [REMOVED] Old settings/users.txt stuff, handled by SetUserGroup now
The old method of importing admins from settings/users.txt (by reading the file ourselves and adding the users) has been removed becase it is now handled by SetUserGroup when garrysmod imports the file.
I have not failed. I've just found 10,000 ways that won't work. - Thomas A. Edison
I reject your reality and substitute my own. - Adam Savage

Offline atomicspark

  • Full Member
  • ***
  • Posts: 196
  • Karma: 12
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #8 on: June 21, 2007, 12:40:32 PM »
Once again the path that I was thinking of and the path I typed was different. I ment to compare your's and gmod's the whole time. Sorry for the confusion. ::)

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6213
  • Karma: 394
  • Project Lead
Re: New ULX and ULib (Security advisory on previous versions!)
« Reply #9 on: June 24, 2007, 10:40:32 PM »
Funny enough, an exploit was discovered in SS today that allowed you to gain superadmin access. When it rains, it pours I suppose. :)
Experiencing God's grace one day at a time.