Results 1 to 4 of 4

Thread: MD5 Hash Admin.ini passwords for security

  1. #1

    Default MD5 Hash Admin.ini passwords for security

    Im wondering if (assumign it should be) possible to make serverside 1.12 patch support md5hashed passwords for security pretty much as simple as that

  2. #2
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    Sure I think it would be possible, but who else has access to the server aside from you\ or the server admin in this case?

  3. #3

    Default

    plain text is generally insecure ifsomeone findsa exploiut in the server code they couild dump the passwords better safe than sorry

  4. #4
    Administrator James's Avatar
    Join Date
    May 2010
    Location
    on the intraweb
    Posts
    3,180

    Default

    True, but rememeber that serverside code can't be accessed directly from the client. That's why most protection is preferred serverside over clientside.
    Serverside can't be modified, clientside code can be.

    The closest thing to an exploit that I can think of is the downloader. The trivial directory downloader presented by Luigi. What it did was it allowed a client to download stuff from the server and they can download the server config file or any other file that they knew the name of. This exploit was only possible if the sv_allowdownload function was set to 1 (the default was 1, but since MOHAA never finished it off, they should have made it "0", since that's not the case, if the server didn't specifically set it to 0, then the server would be set to 1 and it could be exploited.

    Anywho, before I start rambling, our downloader in the patch DOES checksum checks with serverfiles to determine what files get downloaded. So this exploit from what I know will not be a problem on the patch. the admin.ini file is ONLY accessed serverside, so the ONLY way someone can gain access to this file is if they somehow figure out your FTP password, and if that's the case... well, you have bigger problems to worry about.

    Anywho, that's my understanding of how it works, maybe RR can add some info to it, but this conversation has been initially discussed and thought of when we were working on the downloader. Our main concern in this patch is security which is why we are working diligently to release stable work, and not just half assed working functions.

    Hope that clears up any questions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •