Jump to content

Mani-Admin Exploit


Dan M

Recommended Posts

Hi Guys,

 

I thought whilst I posed that other thread, i'd post a bit of information. From what I can see, there's an exploit in mani-admin plugin that allows anybody to gain access to your server.

 

I'm running the latest version of Mani "Mani Admin Plugin v1.2BetaS-hotfix-2". We use this to broadcast the popup menu's for HLSTATSX, we use sourcemod as a mainstream admin addon with Sourcebans.

 

It started a few weeks ago when we left our most popular server unattended, things started to change such as the server name and masses of bots being added and passwords being applied. Since we use Sourcemod globally across our servers, it was pretty easy to see if it was one of our own admins doing this.

 

We changed the RCON password on the said server, but no effect was made. I then left HLSW broadcasting under "rcon" all day, and log it to a file. When I got back home from work I checked the logs and it seemed the first command executed was ma_rcon, proving an exploit in the mani system.

 

I installed "Ironwall" to Eventscripts and added every single preliminary mani command into the disallowed commands, this rightfully fixed the problem. I also found a script that Louise posted on her forums whilst browsing through Google. That also added a bit of redundancy to the unloading of ironwall, etc.

 

Just thought I would let you know. There was an exploit a while ago, this is new and completely unrelated.

 

I guess it's what Mani gets for releasing his source code.

 

Cheers.

Link to comment
Share on other sites

We have advised all of our customers to switch to Sourcemod, we have removed mani admin from all the default installers and outline it in the Source welcome emails.

 

Mani was good at one point, but Sourcemod is definitely the better, and more supported option. :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 7 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use