Posts: 8
Threads: 2
Joined: Nov 2016
Reputation:
0
I need help, this is the problem:
Somehow user bypass login on login atempt and somehow not logged in he is on administrators account. Other administrators can't ban him because he has higher admin level and he is cheating on server all day! I appreciate any help!
Posts: 297
Threads: 18
Joined: May 2009
Reputation:
0
Contact the server owner about this.
Posts: 4,759
Threads: 33
Joined: Dec 2013
Reputation:
0
It's most likely the scripter's fault, get him/her to look in to it.
Posts: 8
Threads: 2
Joined: Nov 2016
Reputation:
0
We think that user uses dialog hider and that's the way how he get through login. But again there is a problem because after 45 seconds server kicks player if he's not logged in, however, user is using cheat on server(not logged in, just spawned) more than 45 seconds. Is there any idea how to solve this ?
Posts: 1,266
Threads: 6
Joined: Oct 2014
Quote:
Originally Posted by solutioon
We think that user uses dialog hider and that's the way how he get through login. But again there is a problem because after 45 seconds server kicks player if he's not logged in, however, user is using cheat on server(not logged in, just spawned) more than 45 seconds. Is there any idea how to solve this ?
|
its possible you're loading player stuff before he logins in. alright so maybe the hacker is using a command which shows a new dialog for him so login one will be hided?
simple block dudes who aren't logged in and "NOT" registered from using commands by returning 0 on OnPlayerCommandReceived(playerid, cmdtext[]) callback.
Posts: 10,066
Threads: 38
Joined: Sep 2007
Reputation:
0
There is a well known exploit that can bypass dialogs entirely (I'm assuming the password box is a dialog). If you press F6 you can open the chat window and execute commands. If there is a command that opens another dialog then it will replace the current dialog. That dialog in turn can usually be easily closed.
So to summarize: verify that the player is viewing the dialog they should be viewing and not any other: when showing a dialog store that dialogid in a per-player-variable. In OnDialogResponse make sure that this variable matches with the reported dialogid before proceeding. If it doesn't match: kick/ban because they're spoofing dialogids. Also before showing any dialog make sure that the variable is 0 to verify that a dialog isn't already shown. Obviously reset the variable to 0 when a dialog has been completely handled.
Secondly, don't load sensitive data before the player is fully authenticated; some people load all data immediately when a player connects (usually to retrieve the password hash from storage) but this is a bad idea because you have no idea if the connecting player is who he says he is.
Posts: 8
Threads: 2
Joined: Nov 2016
Reputation:
0
Thank you for help, we will try to fix it by the steps you specified and will see further developments.
