[PSA] Backdoor found in "(MC) Voltz Explosives Pack" (baldursgate3 approved!)

Well well well, would you look at that. Another backdoor by buldursgate3!

Steam page

And here it is,
[lua]lua\entities\voltz_tier_one_debilitation_ent.lua
Line 138 to 142
Revision number 2 in the workshop.[/lua]

Basically this piece of code lets anyone set the FOV of anyone to anything, and as far as I know this is another method of crashing a client.

Some people never learn.

Chooo chooo… All aboard the drama train

Well that was fast.



for k,v in pairs(player.GetAll()) do
    net.Start("voltz_debilitation_gfx_server")
        net.WriteEntity(v)
        net.WriteFloat(179)
    net.SendToServer()
end


not sure if backdoor or he’s just a shitty developer

You really have to stop causing more drama. He’s probably just doesn’t fully understand the flaws and insecurity of net.SendToServer() without proper authorization.
Just because something is exploitable doesn’t automatically mean it’s a backdoor.

I’m not taking any sides but if you start picking people for the wrong things, then you can find all kinds of problems on different addons. Also, why didn’t you tell him how to fix the vulnerability?

He seems good if he made GBombs. That was my life.

Just wondering, what IDE is that you’re using, looks nice.

EDIT: and theme

Notepad ++?


(User was permabanned for this post ("Alt of baldursgate12" - postal))

Looks like Sublime judging from the rounded highlight-ey search stuff, but Atom due to the bracket matching having underscores.

I’d say Atom, but the text rendering is so bad I feel the need to say Notepad++ unless it’s just a terrible Atom theme.

Jesus christ it’s SetFOV(), is that really a backdoor to you morons? not all net strings are backdoors go get a life you retards.


(User was banned for this post ("Dumb flaming" - postal))

Idk why you’re so mad. It’s a backdoor but it could be unintentional. Or it could be directly for malicious intent.

That’s why it’s been posted. Regardless of the intention, it is good that this information has been released because then the developer can either fix it or take his content down.

It looks like an unintended backdoor but nonetheless, it is a backdoor.
Did you poke the author OP?

Ok, now I don’t like him.

A backdoor can be intended for malicious activites, or it may not be. Regardless, it is a backdoor whether he thinks it or not. Why doesn’t he ask for help?
To be honest, it doesn’t help with his damn insults. I won’t help anyone who treats me like that.

Developers who care about their work normally criticise their own work so they can improve it and protect it from exploits such as this.

Why don’t you help by posting a fix instead of calling him out on shit, just an idea.

I found this out about 30 min after it was released, then this happened:

http://puu.sh/jRKIj/c4b8f24ce7.png

http://puu.sh/jRKPF/86fb1ff2fc.png

He then decided to delete my comment about the exploit on the workshop page, 30 min later, he removed the addon and reuploaded it with a different title.

Here’s the fixed version



if (SERVER) then
	net.Receive("voltz_debilitation_gfx_server", function(len, ply) -- these were backwards
		local fov = net.ReadFloat()
		ply:SetFOV(fov, 0.1)
	end)
end


And on the client, he needs to not send LocalPlayer().

I’m sorry but this wasn’t aimed towards everybody. It’s just that a particular group of people are constantly getting their friends to harass me, mass downvote and post “when are you putting a backdoor in that addon also?”. Sometimes I do listen to what people say about my code but what’s happening now is an exception because it’s plain rude.

I’m trying my best to start fresh but some people are just stubborn. As you can see, Jcw87 already posted a fix that I required.

Your attitude towards stev is inexcusable. He pointed out the flaw, and instead of trying to fix it, you called him dumb.