[quake3] File download exploit
james at jamesdesign.org
Tue Feb 12 07:05:40 PST 2008
Yep that looks like the one. In that case, sorry for the false alarm guys! I
just wanted to make sure people were aware of the problem as it still exists
in quite a few games.
Thanks for the response,
On Feb 12, 2008 2:37 PM, Thilo Schulz <arny at ats.s.bawue.de> wrote:
> On Dienstag, 12. Februar 2008, James Munro wrote:
> > http://rafb.net/p/XmBZ6E34.html
> > The code will allow you to download any file from the server. As
> > the Q3 server file download function does not check which directory the
> > user is downloading from, and so this code can be used to download the
> > server.cfgwhich may contain the rcon password, so it is clear why this
> > is a problem!
> This looks like an exploit for a bug that Ludwig Nussel and I have found
> time ago already. Please look at my advisory for more information:
> Thilo Schulz
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ioquake3