2.17.0 vulnerability

Post here your questions about SFS2X. Here we discuss all server-side matters. For client API questions see the dedicated forums.

Moderators: Lapo, Bax

User avatar
moccha
Posts: 112
Joined: 13 Feb 2014, 16:09

2.17.0 vulnerability

Postby moccha » 26 May 2021, 22:18

Hi,

Is there a timeline for a potential patch for this? https://www.exploit-db.com/exploits/49527

I see that your company is aware of the issue and are working on a patch.

Thanks again.
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: 2.17.0 vulnerability

Postby Lapo » 27 May 2021, 08:23

Hi,
there is no timeline at the moment.
The admin credentials have been stored as plain text since the first release of SFS2X. The best way to secure such credentials is to use the permission system in your OS. In other words you should make sure that the config files are only accessible only to people with specific permissions in the system (e.g. root, admin etc...)

Using encryption for SFS2X config files would introduce many different issues. The most prominent is that if the server fails to start up due to errors in config files you will be locked out of the server and unable to fix the issue, since those files are illegible.

Hope it helps
Lapo
--
gotoAndPlay()
...addicted to flash games

Return to “SFS2X Questions”

Who is online

Users browsing this forum: kapacb and 69 guests