Hello there,

So here are my questions, how is it possible to download server side scripts in cod2 even with q3dirtrawfix but without the latest libcod from Mitch which added iwd check?

To be more specific, does a person that downloads it has to know the exact name of every script? or rather every file? could he list it somehow? If yes how? What type of access does this person have to have to gain access to all the information he needs to download those files?

Basically someone did download all scripts and some other valuable files from my server and he knew the name of every file he was downloading even some unusual ones that shouldn't be in cod directory but were there by mistake.

I am hoping for a good lesson on security and if the latest libcod from Mitch would solve it?

Regards YuriJurek.

Yes, he needs to know the file names and path. (Path is relative to cod dir)
But he can find which file to download from the gametype file.

My libcod fix works exactly like q3dirtravfix.

Edit: with q3dirtravfix you can only download iwds.
Also what people download shows up in your console log.

You can only download files that cod can read. (So you cannot download /etc/shadow)

It might be possible to list files with rcon.

So with that in mind is there any other way to download those files then? Because it happened even with this fix? A way which would include...
Hell just see it for yourself:


Going from CS_FREE to CS_CONNECTED for (num 1 guid 709743)
Redirecting client 'Unknown Soldier' to http://mynl.pl/download/cod2/zombie_1.2/nl/zz_nl_update.iwd
Client 'Unknown Soldier' reported that the http download of '' failed, falling back to a server download
clientDownload: 1 : beginning "nl/maps/mp/gametypes/_sprint.gsc"
clientDownload: 1 : file "nl/maps/mp/gametypes/_sprint.gsc" completed
Sending heartbeat to cod2master.activision.com
clientDownload: 8 : beginning "nl/maps/mp/gametypes/.htaccess"
clientDownload: 8 : file "nl/maps/mp/gametypes/.htaccess" completed

Look, even .htaccess file got downloaded even though it was placed in there by mistake.

So with that in mind is there any other way to download those files then? Because it happened even with this fix? A way which would include...
Hell just see it for yourself:


Going from CS_FREE to CS_CONNECTED for (num 1 guid 709743)
Redirecting client 'Unknown Soldier' to http://mynl.pl/download/cod2/zombie_1.2/nl/zz_nl_update.iwd
Client 'Unknown Soldier' reported that the http download of '' failed, falling back to a server download
clientDownload: 1 : beginning "nl/maps/mp/gametypes/_sprint.gsc"
clientDownload: 1 : file "nl/maps/mp/gametypes/_sprint.gsc" completed
Sending heartbeat to cod2master.activision.com
clientDownload: 8 : beginning "nl/maps/mp/gametypes/.htaccess"
clientDownload: 8 : file "nl/maps/mp/gametypes/.htaccess" completed

Look, even .htaccess file got downloaded even though it was placed in there by mistake.
Lucky guess?

On 1.2 and 1.3 you can disable this old download system and only allow www download.



sv_allowdownload 0
sv_wwwdownload 1


Edit: there is also a trick with basepath and homepath.

Alright one more thing, _sprint.gsc is not linked anywhere in my mod but is one of the files modified on my server and the person did download it without even previously guessing other names, he did not download the stock scripts just the modified ones.

As well the directory I've posted from the log file is not the actual one that I use.

So disabling the old download system would solve the issue?

Edit: Might it be a server break-in or any other form of hacking? Not really involving downloading those files via CoD2 but still being restricted to only download files from this server directory?

i'm a noob regarding this but, can't you set file permissions? (read, write, execute)

i'm a noob regarding this but, can't you set file permissions? (read, write, execute)

If the game cannot read the files then the download function can't read it either. So basically when the game isn't allowed to read the file then someone cannot download them either.

Edit: the game should run as a user (not as root)

interesting

isn't server.cfg vulnerable too?