gbans is vulnerable to steamid spoofing #375
Comments
|
@sapphonie I can try it out if you are wanting testing, is it just the stac beta branch? |
|
Err, it's more that GetClientAuthId may return false etc if the client is spoofing being unconnected. i'm fairly sure you could get the steamid 100% of the time by setting verify = false w/GetClientAuthId since you do have the connect extension, but I'm going to double check with the author of the ext who's obviously more familiar with Steam's auth methodology, and likely provide a native with stac regardless. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/leighmacdonald/gbans/blob/master/sourcemod/scripting/gbans/ban.sp#L39-L47
Same issue with SourceBans, clients can spoof being unauth'd and be unbannable. Upcoming StAC 6.0 resolves this (StAC side, not gbans side) by doing magic with connect extension. If you'd like me to provide a native to query given a client index, let me know. Otherwise I can point you in the direction of the still beta unfinished code
The text was updated successfully, but these errors were encountered: