Half-Life Dedicated Server Arbitrary File Download

2003-11-20T08:27:54
ID OSVDB:2841
Type osvdb
Reporter OSVDB
Modified 2003-11-20T08:27:54

Description

Vulnerability Description

Half-life dedicated server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the "allowdownload" option is enabled, which will allow access to any file in the "valve" directory resulting in a loss of confidentiality. In the event a large file is downloaded from the server a Denial of Service could occur.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Set "allowdownloads" to "0" in the config file. However setting this option stops users from being able to download maps from the server.

Short Description

Half-life dedicated server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the "allowdownload" option is enabled, which will allow access to any file in the "valve" directory resulting in a loss of confidentiality. In the event a large file is downloaded from the server a Denial of Service could occur.

References:

Secunia Advisory ID:9392 Secunia Advisory ID:10263 Secunia Advisory ID:7876 Related OSVDB ID: 2339 Related OSVDB ID: 1610 ISS X-Force ID: 6221 ISS X-Force ID: 11040 ISS X-Force ID: 6218 Generic Informational URL: http://www.security.nnov.ru/search/document.asp?docid=5421