[PSA] Backdoor found in "(MC) Voltz Explosives Pack" (baldursgate3 approved!) - Developers

Well well well, would you look at that. Another backdoor by buldursgate3! [url=https://steamcommunity.com/sharedfiles/filedetails/?id=507992292]Steam page[/url] And here it is, [lua]lua\entities\voltz_tier_one_debilitation_ent.lua Line 138 to 142 Revision number 2 in the workshop.[/lua] [img]http://i.imgur.com/AWKltMV.png[/img] Basically this piece of code lets anyone set the FOV of anyone to anything, and as far as I know this is another method of crashing a client.

Some people never learn.

Chooo chooo... All aboard the drama train

Well that was fast.

[code] for k,v in pairs(player.GetAll()) do net.Start("voltz_debilitation_gfx_server") net.WriteEntity(v) net.WriteFloat(179) net.SendToServer() end [/code] not sure if backdoor or he's just a shitty developer

[QUOTE=Author.;48568227]Well well well, would you look at that. Another backdoor by buldursgate3! [url=https://steamcommunity.com/sharedfiles/filedetails/?id=507992292]Steam page[/url] And here's the backdoor [lua]lua\entities\voltz_tier_one_debilitation_ent.lua Line 138 to 142 Revision number 2 in the workshop.[/lua] [img]http://i.imgur.com/AWKltMV.png[/img] Basically this piece of code lets anyone set the FOV of anyone to anything, and as far as I know this is another method of crashing a client.[/QUOTE] You really have to stop causing more drama. He's probably just doesn't fully understand the flaws and insecurity of net.SendToServer() without proper authorization. Just because something is exploitable doesn't automatically mean it's a backdoor. I'm not taking any sides but if you start picking people for the wrong things, then you can find all kinds of problems on different addons. Also, why didn't you tell him how to fix the vulnerability?

[QUOTE=TylerB;48568355][code] for k,v in pairs(player.GetAll()) do net.Start("voltz_debilitation_gfx_server") net.WriteEntity(v) net.WriteFloat(179) net.SendToServer() end [/code] not sure if backdoor or he's just a shitty developer[/QUOTE] He seems good if he made GBombs. That was my life.

Just wondering, what IDE is that you're using, looks nice. EDIT: and theme

[QUOTE=Adzter;48568476]Just wondering, what IDE is that you're using, looks nice.[/QUOTE] Notepad ++? [highlight](User was permabanned for this post ("Alt of baldursgate12" - postal))[/highlight]

Looks like Sublime judging from the rounded highlight-ey search stuff, but Atom due to the bracket matching having underscores. I'd say Atom, but the text rendering is so bad I feel the need to say Notepad++ unless it's just a terrible Atom theme.

Jesus christ it's SetFOV(), is that really a backdoor to you morons? not all net strings are backdoors go get a life you retards. [highlight](User was banned for this post ("Dumb flaming" - postal))[/highlight]

[QUOTE=dgrawns;48568733]Jesus christ it's SetFOV(), is that really a backdoor to you morons? not all net strings are backdoors go get a life you retards.[/QUOTE] Idk why you're so mad. It's a backdoor but it could be unintentional. Or it could be directly for malicious intent. That's why it's been posted. Regardless of the intention, it is good that this information has been released because then the developer can either fix it or take his content down.

It looks like an unintended backdoor but nonetheless, it is a backdoor. Did you poke the author OP?

[QUOTE]Jellal ・フェルナンデス [author] Just now Welp. Facepunch strikes again over a trivial issue. Just because the code is exploitable (even if it is then I have no idea of how to fix it ) doesn't mean it's a backdoor you complete autistic faggots. Instead of going berserk, you could post an actual fix. Get a life and start to critize your own code.[/QUOTE]

[QUOTE=dgrawns;48568918]stuff[/QUOTE] Ok, now I don't like him. A backdoor can be intended for malicious activites, or it may not be. Regardless, it is a backdoor whether he thinks it or not. Why doesn't he ask for help? To be honest, it doesn't help with his damn insults. I won't help anyone who treats me like that. Developers who care about their work normally criticise their own work so they can improve it and protect it from exploits such as this.

Why don't you help by posting a fix instead of calling him out on shit, just an idea.

[QUOTE=dgrawns;48568989]Why don't you help by posting a fix instead of calling him out on shit, just an idea.[/QUOTE] I found this out about 30 min after it was released, then this happened: [img]http://puu.sh/jRKIj/c4b8f24ce7.png[/img] [img]http://puu.sh/jRKPF/86fb1ff2fc.png[/img] He then decided to delete my comment about the exploit on the workshop page, 30 min later, he removed the addon and reuploaded it with a different title.

[QUOTE=dgrawns;48568989]Why don't you help by posting a fix instead of calling him out on shit, just an idea.[/QUOTE] Here's the fixed version [CODE] if (SERVER) then net.Receive("voltz_debilitation_gfx_server", function(len, ply) -- these were backwards local fov = net.ReadFloat() ply:SetFOV(fov, 0.1) end) end [/CODE] And on the client, he needs to not send LocalPlayer().

[QUOTE=mib999;48568928]Ok, now I don't like him. A backdoor can be intended for malicious activites, or it may not be. Regardless, it is a backdoor whether he thinks it or not. Why doesn't he ask for help? To be honest, it doesn't help with his damn insults. I won't help anyone who treats me like that. Developers who care about their work normally criticise their own work so they can improve it and protect it from exploits such as this.[/QUOTE] I'm sorry but this wasn't aimed towards everybody. It's just that a particular group of people are constantly getting their friends to harass me, mass downvote and post "when are you putting a backdoor in that addon also?". Sometimes I do listen to what people say about my code but what's happening now is an exception because it's plain rude. I'm trying my best to start fresh but some people are just stubborn. As you can see, Jcw87 already posted a fix that I required.

[QUOTE=baldursgate12;48569154]I'm sorry but this wasn't aimed towards everybody. It's just that a particular group of people are constantly getting their friends to harass me, mass downvote and post "when are you putting a backdoor in that addon also?". Sometimes I do listen to what people say about my code but what's happening now is an exception because it's plain rude. I'm trying my best to start fresh but some people are just stubborn. As you can see, Jcw87 already posted a fix that I required.[/QUOTE] Your attitude towards stev is inexcusable. He pointed out the flaw, and instead of trying to fix it, you called him dumb.

[quote]Get a life and start to critize your own code.[/quote] Why does he think our code doesn't have such backdoors?

[del]net.WriteEntity(LocalPlayer()) should just throw a big ass error.[/del] guess that would actually break some legit things too

[QUOTE=baldursgate12;48569154]I'm sorry but this wasn't aimed towards everybody. It's just that a particular group of people are constantly getting their friends to harass me, mass downvote and post "when are you putting a backdoor in that addon also?". Sometimes I do listen to what people say about my code but what's happening now is an exception because it's plain rude. I'm trying my best to start fresh but some people are just stubborn. As you can see, Jcw87 already posted a fix that I required.[/QUOTE] So it really was you? How have you made anything of value if you're too incompetent to understand "never trust the client"? This truly baffles me.

[QUOTE=Jcw87;48569167]Your attitude towards stev is inexcusable. He pointed out the flaw, and instead of trying to fix it, you called him dumb.[/QUOTE] I'll admit, I did post a sarcastic comment and an image of the exploit (not included in the images I posted), that I probably shouldn't have done.

[QUOTE=maurits150;48569182]net.WriteEntity(LocalPlayer()) should just throw a big ass error.[/QUOTE] Install [url=http://facepunch.com/showthread.php?t=1482776]glualint[/url] and it will (shameless plugging :v:) Also, merge broken twice.

[QUOTE=stev_;48569184]I'll admit, I did post a sarcastic comment and an image of the exploit, that I probably shouldn't have done.[/QUOTE] Sorry but I'm bad at detecting sarcasm. I took it literally then. I will update the addon as soon as I can with the following fix. [highlight](User was permabanned for this post ("Alt of permabanned user" - Robotboy655))[/highlight]

[QUOTE=FPtje;48569183]So it really was you? How have you made anything of value if you're too incompetent to understand "never trust the client"? This truly baffles me.[/QUOTE] He's playing dumb, as usual.

[QUOTE=unrezt;48569229]He's playing dumb, as usual.[/QUOTE] I didn't know you could join a server and then execute a clientside script that sends net messages to server. I thought script enforcers prevented that.

[QUOTE=dgrawns;48568733]Jesus christ it's SetFOV(), is that really a backdoor to you morons? not all net strings are backdoors go get a life you retards.[/QUOTE] And now the assholes come out of the woodwork

[QUOTE=baldursgate12;48569253]I didn't know you could join a server and then execute a clientside script that sends net messages to server. I thought script enforcers prevented that.[/QUOTE] Like how you thought for your past 3 addons where somebody ran around and ruined everybody's day thanks to your backdoors.