Half-Life vulnerability

Post by **Edge100x** » Wed Nov 19, 2003 5:41 pm

A vulnerability has been found in the Half-life Dedicated Server that can be used to discover your rcon password. If sv_allowdownload is set to 1 (the default), then any connected client can download selected files from your server's main directory -- including your server.cfg, which contains your rcon password.

Our recommendation is that you disable downloads by setting sv_allowdownload to 0 in your server.cfg, at least for now. Valve is working on a solution to the problem and it will most likely be released through Steam within a matter of days.

Update:

Valve has released a new version to address this. We will be updating all servers midmorning tommorrow.

If you would like the patch sooner, just email us and we will upgrade your server separately.

Update:

The patch was installed without incident on the morning of 21 Nov 2003.

Smoke · Post by **Smoke** » Fri Nov 21, 2003 6:11 pm

There was a fix for this yesterday

Edge Please inform us if this patch is applied to our servers

GEEZ!

we need to know these things!

Post by **Edge100x** » Fri Nov 21, 2003 6:19 pm

I've updated the news post to make it more clear to you. We followed through and installed the patch this morning as I said we would.

Smoke · Post by **Smoke** » Fri Nov 21, 2003 6:25 pm

oops!

RGR THAT!

Vm|Mayhem · Post by **Vm|Mayhem** » Sat Nov 22, 2003 12:52 pm

Thanks John...You guys rockerz!