[IMPORANT] Temporary fix to exploit via steam browser

Today a player joined my server and sent a link which when opened caused the player who opened the link to get IP banned.
I will not say how it works, because there is currently no good way to fix it without disabling some security measures in the source engine. Robotboy655 has said he will look into it, but I do not know more than that.

The temporary fix is to block all chat messages containing a URL and if a server does not do that, do not click on shady links.

Make a lua file in the autorun folder on the server ex. autorun/urlexploitfix.lua and paste the following code.
[lua]if CLIENT then return end
hook.Add(“PlayerSay”, “LinkBlocker”, function(ply, text, team)
if string.find(text, “http(s?)://”) then
ply:ChatPrint(“URLs may not be used in chat”)
return false
end
end)[/lua]

Its called someone creating multiple iframes which will attempt to connect to the IP


<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>
<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>
<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>
<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>
<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>
<iframe src="http://192.168.1.1:27015/" style="visibility:hidden;display:none"></iframe>


Its not an exploit, its just simple HTML

This isn’t restricted to just the in-game browser.

True, but most people will click on these links from ingame and not elsewhere.

If you are that worried about this harming your server just disable rcon and penalties for incorrect attempts. Even better - if you have access - disable TCP access to your server’s port.

correction, ALWAYS disable rcon

RCON’s fine if you don’t leave your password in your config whilst having sv_allowdownload enabled. Less paranoia in the community would be great.

And you disable the auto ban for brute force attempts…

If you’re gonna do that you should probably disable RCON :v:

Just to put this out there a recent player has came on to our server and did the same. I will look for some fixes out there that don’t prevent links from going into chat.

Exactly. Otherwise you’ve got RCON enabled with a secured password but vulnerable to ban unsuspecting players.

Disabling penalties will also open another old exploit I’m not going to explain but you can access rcon with it

“just disable rcon and penalties”
Surely with RCON disabled that won’t matter?

One would think only valid authentication attempts would be caught by the bruteforce attempt banner, but no any connection even though it’s not a valid request is seen as a bruteforce attempt.

Last I remember someone has setup a website where you simply put the servers IP and it generates a link which will ban anyone who goes to it on any type of source engine, I even tested it myself.

there are a shitload of sites like these, and what they do is pretty simple.
They just spam false rcon login attempts.
If you want to keep your fancy rcons, and hand them out to your admins, while not getting bruteforced - limit the timeout to e.g. 3 minutes.
Bruteforcing your rcon would still take years, especially if it’s random, contains numbers, lowercase and uppercase letters, and is more than 6 characters long.

Why do people need RCON? I ran servers for several years, not once did I need it. Nor any moderators/administrators.

Because people prob don’t know of any other way to rank themselves up.

Once they rank themselves up then they should disable it at least.

Useful with remote RCON tools like HLSW and no warnings anywhere about its insecurity (might be wrong on this) except for some posts in some threads on FacePunch and perhaps other forums.