Bug 3593 - voting system is insecure
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: GIT MASTER
Hardware: All All
: P3 major
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2008-04-08 21:29 EDT by /dev/humancontroller
Modified: 2021-11-02 15:31:10 EDT
1 user (show)

See Also:

Attachments
refuse newlines in callvotes, along with semicolons (908 bytes, patch)
2008-04-08 21:54 EDT, /dev/humancontroller

Description /dev/humancontroller 2008-04-08 21:29:00 EDT 
Could we rewrite the voting system, or just borrow the voting code from somewhere like Tremulous? Because the current method of sending raw vote command lines to the command interpreter is insecure and highly abusable.

An example: the command interpreter accepts semicolons and newlines as command separators. There's a hack to work around (refuse) command lines with semicolons, but newlines aren't checked for. Due to this I have been able to execute arbitrary commands on the server by sending newlines in the callvote (map, kick, etc.) command's parameters (minimum source code modification was required). Such a command was "quit", which successfully shut down the server, without any administrative rights whatsoever.

I will defer talking about possibilities of votekick-proof names, there are many.

Fortunately, any decent mod (honestly, all that I've seen/tested on the master server list), have a proper voting system.
Comment 1 /dev/humancontroller 2008-04-08 21:54:45 EDT 
Created attachment 1723 [details]
refuse newlines in callvotes, along with semicolons

A quick hack to prevent the described attack, at least for now.
Comment 2 Zachary J. Slater 2008-07-04 23:11:58 EDT 
This'll have to be for the future. Not right now.
Comment 3 Ludwig Nussel 2009-01-17 18:12:08 EST 
fixed in r1493