Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential Security Risk #43

Open
00-rcb opened this issue Jun 14, 2016 · 0 comments
Open

Potential Security Risk #43

00-rcb opened this issue Jun 14, 2016 · 0 comments

Comments

@00-rcb
Copy link

00-rcb commented Jun 14, 2016

By default, players with a permission level greater than zero may use " < minqlx command symbol > players" to obtain a list of currently connected IP addresses. I believe it is within the best interest of the QuakeLive community for server moderators/admins to NOT have the ability to obtain player IP addresses. The SteamID64 is a much better solution for player identity in my opinion. Although correlating player IP addresses to SteamIDs is quite useful, and admins hosting QL servers should still have the ability to obtain player IP addresses when necessary, but to reiterate moderators should NOT have this feature available to them.

My recommendation would be to change the permission level for the "!players" command from one to five (perhaps four), this would greatly reduce possible attacks against player networks. This modification would take mere seconds.

https://github.com/MinoMino/minqlx-plugins/blob/master/essentials.py#L45

Current:
self.add_command("players", self.cmd_players, 1)

Recommended:
self.add_command("players", self.cmd_players, 5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant