Dear VOID.AT Security,
This bug is not related to adminmod, but is rather the bug in Half Life itself. At least absolutely same problem is in amx plugin. amx_psay %s%s%s%s causes same trouble.
So this is a bug in HalfLife client and may be exploited by malicious server operator (including remote one with permissions to execute any csay/psay command, rcon access is not actually required, it's possible to bind malicious amx_psay command to some key). Since Half Life protocol is not secure it's very likely this bug potentially may be exploited by any remote attacker while client is playing.
--Friday, January 10, 2003, 8:49:35 PM, you wrote to email@example.com:
VAS> Note, the attacker needs to know the rcon-password. VAS> However, it is easy to sniff since it is being transmitted VAS> in plaintext.
VAS> blackboxed the admin_ssay and admin_psay commands.
-- ~/ZARAZA Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)