[Exploit] Ban people from a server using a webpage #1464
Comments
|
Can you post some more details please, for example the whole HTML page in question and how exactly you cause the issue. I assume you are saying that the user loads this in their browser of choice? |
ghost
self-assigned this
|
The person who used it against us had a webpage with a screenshot on it. Inside the html he embedded many iframe tags referrring to our server. You could probably also use img tags but the person who used this against us used iframe tags. This is probably the minimal webpage needed. I think 3 is the minimum required to trigger an rcon ban but it could be more depending on your settings. <html>
<iframe src="1.2.3.4:27015"></iframe>
<iframe src="1.2.3.4:27015"></iframe>
<iframe src="1.2.3.4:27015"></iframe>
</html> |
|
You also need to include http:// before the ip:port. Such as: I tested this, as well, by creating an html file with the line above repeated 6 times with my server ip:port, which successfully IP banned me. It usually takes 6 times because the default for sv_rcon_minfailures is set to 5. You can also simply open up your web browser and put in http://ip:port, then hit refresh 5 times and get IP banned. |
I reported this exploit to a Valve employee about 2 months ago and it hasn't been fixed yet.
This exploit allows you to permanently ban people from a server until reboot simply by visiting a webpage. The server interprets these requests as an rcon request and permanently bans them
To fix this, ignore packets that don't follow the rcon protocol.
The text was updated successfully, but these errors were encountered: