Ulysses

General => Off-Topic => Topic started by: Bryantdl7 on December 26, 2014, 07:04:25 PM

Title: sv_allowupload/download safe again?
Post by: Bryantdl7 on December 26, 2014, 07:04:25 PM

Since the epic vin'll fix it hack I have sv_allowupload 0 and sv_allowdownload 0. the one problem im noticing is sprays dont like to show with those settings set up. Are they still major security risks?

Title: Re: sv_allowupload/download safe again?
Post by: MrPresident on December 26, 2014, 07:37:04 PM

This was patched pretty quickly. You should be safe to enable them again.

Title: Re: sv_allowupload/download safe again?
Post by: JamminR on December 26, 2014, 09:04:07 PM

I'm of the opinion though that, since I've seen at least 5 exploits due to those functions in the past 10 years, if sprays is all you want them for, it's not worth the risk of some yet unknown to use malicious use of them.
But, I'm a paranoid IT geek.

Title: Re: sv_allowupload/download safe again?
Post by: MrPresident on December 26, 2014, 11:34:24 PM

This is exactly why those vars are still disabled in my server. They were disabled before the exploit as well, which is why we were also unaffected.

Title: Re: sv_allowupload/download safe again?
Post by: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here (http://facepunch.com/showthread.php?t=1439347)

Code: [Select]

Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid :)

Title: Re: sv_allowupload/download safe again?
Post by: Neku on December 27, 2014, 05:09:56 PM

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here (http://facepunch.com/showthread.php?t=1439347)

Code: [Select]

Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid :)

Huh, didn't know that existed.

Nice signature btw.

Title: Re: sv_allowupload/download safe again?
Post by: Bryantdl7 on December 28, 2014, 03:41:57 PM

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here (http://facepunch.com/showthread.php?t=1439347)

Code: [Select]

Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid :)

I'm gonna try this now and edit with my results.

Title: Re: sv_allowupload/download safe again?
Post by: Sgt.Blue on January 02, 2015, 02:05:49 PM

Was there ever any benefit to having the Cvars enabled in the first place?

Title: Re: sv_allowupload/download safe again?
Post by: JamminR on January 02, 2015, 03:58:15 PM

Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.

Title: Re: sv_allowupload/download safe again?
Post by: PAL-18 on January 03, 2015, 01:15:15 AM

If you want your spray to still appear but you also want to stay secure, here's a way i discovered:

• Set sv_allowupload and sv_allowdownload to 1 and restart the server.
• Set up your game to use your custom spray.
• Connect to your server and it will download the spray.
• Set sv_allowupload and sv_allowdownload to 0 and restart the server.
• Profit from you being the only player with a custom spray.

Note: If you change your spray, you'll need to do the above again.

Title: Re: sv_allowupload/download safe again?
Post by: MrPresident on January 03, 2015, 01:11:04 PM

Quote from: JamminR on January 02, 2015, 03:58:15 PM

Yes, if someone doesn't have Fast Download separate server/url, it is an easy, if not extremely slower than fast dl, way to allow connecting people to get maps/models/etc.

Just to break it down a little bit more:

sv_allowdownload allows players to download assets from a server (assuming they've added them to the list of things to be downloaded) if the server is NOT using FastDL.
sv_allowupload allows players to upload custom sprays.

If a server is using FastDL (sv_downloadurl) then sv_allowdownload is ignored and does nothing.

There have been exploits in the past with sv_allowupload and it's safe to just have it turned off if you don't care about sprays in your server.

Title: Re: sv_allowupload/download safe again?
Post by: Bryantdl7 on January 15, 2015, 07:02:16 AM

Quote from: Avoid on December 27, 2014, 07:25:54 AM

Hello,
I think this exploit should get fixed with the next update, until then use this library found: here (http://facepunch.com/showthread.php?t=1439347)

Code: [Select]

Sprays Fix
Description: I've released it before but I'll do it again, this prevents the sweg hackers from exploiting sv_allowupload/sv_allowdownload. Pretty much you can safely enable sprays with this.
Hope this helps,
Avoid :)

thanks for showing me this avoid, but because I lack the time/smartness to figure it out I can't figure out why sprays won't show at all, with re-enabling sv_allowupload and sv_allowdownload sprays still do not work, don't ask me why as I said I don't have the time or the smartness to figure it out.

As far as the library itself goes, I cannot say if it works since sprays just won't work in general for me!

I think I will just lay sprays to rest and prevent the risk of getting hacked for a 7th time, lol.