A vulnerability has been found in the Half-life Dedicated Server that can be used to discover your rcon password. If sv_allowdownload is set to 1 (the default), then any connected client can download selected files from your server's main directory -- including your server.cfg, which contains your rcon password.
Our recommendation is that you disable downloads by setting sv_allowdownload to 0 in your server.cfg, at least for now. Valve is working on a solution to the problem and it will most likely be released through Steam within a matter of days.
Update:
Valve has released a new version to address this. We will be updating all servers midmorning tommorrow.
If you would like the patch sooner, just email us and we will upgrade your server separately.
Update:
The patch was installed without incident on the morning of 21 Nov 2003.
Half-Life vulnerability
- Edge100x
- Founder
- Posts: 12951
- https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
- Joined: Thu Apr 18, 2002 11:04 pm
- Location: Seattle
- Contact:
Half-Life vulnerability
Last edited by Edge100x on Fri Nov 21, 2003 6:18 pm, edited 1 time in total.