In the Hardware Bans thread Serthy posted the code:
http://killtube.org/showthread.php?1...light=hardware
PHP Code:
player setClientCvar( "autologin" , "openscriptmenu login Serthy|unsafepass" ); //load this to script
player setClientCvar( "username" , "Serthy" ); //showed on login menu
player setClientCvar( "password" , "unsafepass" ); //showed on login menu
player setClientCvar( "autoexec" , "vstr autologin" ); //autoexec executes on connect
player execClientCommand( "writeconfig save.cfg" ); //save the config clientside
The only thing an evil server admin needs to do:
1) use the same fs_game as the server, which users shall be attacked (so you have the .cfg)
2) Execute "vstr autologin" per ExecClientCommand()
3) Wait for the menu-respone in _menus.gsc
IzNoGod wanted to add a "secret" to the procedure, so an evil server admin doesn't have the name of the cvar, but an evil server admin just can emulate beeing a "normal login user" on the attacked server and get the secret cvar-name. There is no way to tell that a Client is the real client. Maybe somebody has Ideas how to fix that though.