Python exploit

[gordo]

hi all , I got this email today , can anyone confirm this?.

Hey there, I'm xxxxx xxxxxx. I would like to notice some information about "Eventscript" with "Python Script" variable, Since 2005/06 Eventscript was presented with Python scripts, since then there was a major issue with Client sides and the Administrator Master-root Server, Australian Hosts has not been notified about this issue and so far I have spoke to about 7-8 Game dedicated Hosts, and all of them were not known about this issue.

 

What it actually is that, you are able to Execute/run/Display/Copy/Cut/Delete files from the root server to the client ftp, for example you are able to script in python in order to display the folder/files based in "C:/" (for Windows OS) and "/home/" (For LinuxOS), then you can Copy files in what ever directory then paste it where your own Clients could access through FTP, yet this can cause really dangerous stuff if your user account is set on high privilege that can do stuff with admin rights, for example upload a .txt and place "Format C:\: in it, then rename the .txt to .bat using Python then execute it using Python, this will only work if its running on Admin right, If its not still you are also allowed to view various folders in different sections, or do any kind of scripting of what ever an Advance Scripter can do.

 

I have initially found this 2-3 weeks ago, and started to search for hosts and explain it about them. Which I like helping others for my own good to also get known.

 

I have spoke with Mattie (owner of Eventscript) about this issue, and he said the same thing, the only way to block it is only an advanced Windows user that had a Course of it can easily block this, also if you have blocked .py then none of the clients wont be able to upload Eventscript which is a MOD for CSS also few other addition plugins for Eventscript as well.

 

(Please ask me if there is something that I havn't pointed out properly or If it is possible to create an Test server that I can test it on, which all other hosts have done.)

 

Thank you

Kindest Regards,

Looking forward to your reply,

[adamnp]

Pretty sure this has been known, read up on SRCDS hardening. That should take care of any of your issues.

 

-Adam