38 lines
1.3 KiB
Plaintext
38 lines
1.3 KiB
Plaintext
=======================================================
|
|
Unreal Tournament server exploits patched in XC_Engine:
|
|
|
|
|
|
*** PreLogin bypass / fake player exploit.
|
|
It is possible to bypass the server's PreLogin function, potentially making the password
|
|
protection useless and making it vulnerable to fake player flooding.
|
|
PATCHED:
|
|
- JOIN command requires LOGIN first, valid player name and class must be supplied by
|
|
the client in order to allow joining.
|
|
|
|
|
|
*** Control channel spam.
|
|
It is possible to make the server spam the log by sending text commands using the control
|
|
channel.
|
|
PATCHED:
|
|
- Unrecognized commands no longer logged.
|
|
- Pre-Join commands have no effect if the player is already in game.
|
|
- Post-Join commands have no effect if the player hasn't joined.
|
|
|
|
|
|
*** Mutate command spam.
|
|
If the server is running badly coded mutators, it is possible to lag/crash the server by
|
|
spamming mutate commands.
|
|
PATCHED:
|
|
- Replaced PlayerPawn.Mutate with XC_Engine_PlayerPawn.Mutate
|
|
Players can only possible to send up to 2 commands per second.
|
|
Only players logged in as administrator can fully spam mutate.
|
|
|
|
|
|
*** ShowInventory command spam
|
|
It is possible to make the server write huge log files by constantly spamming
|
|
ShowInventory command.
|
|
PATCHED:
|
|
- Replaced PlayerPawn.ShowInventory with XC_Engine_PlayerPawn.ShowInventory
|
|
Only players logged in as administrator can use the command.
|
|
|