PeterP Posted March 18, 2011 Posted March 18, 2011 (edited) Security-leak in DCS:Warthog 1.1.0.6 To all: Please keep the discussion civilised! Don't discuses how this can happen -this doesn't help at all right now. This post is only to inform you! The Developers are aware of this and working on a fix: http://forums.eagle.ru/showthread.php?p=1142609#post1142609 To the Moderators: Feel free to close this Thread and delete it when a fix is provided. (this relates also to all other of my posts that relate to this subject ) Edit: If you use the "save password" function in multi-player Be aware that other people can easily get your login information for your http://www.digitalcombatsimulator.com account (by using some nasty tricks). And use this to suck up your Product-keys and take over your account. To avoid this: -Never (!) share your Network.cfg -much better: Don't use the "Save Password" option (Un-check it!) -use only mods from trusted sources ! -Only download the installation files from http://www.digitalcombatsimulator.com -Change your password for your Account at http://www.digitalcombatsimulator.com -if someone ask you to send/post your Network.cfg : report this to the moderators ! If you are not sure if the data is still there: Override your Network.cfg with the attached default one. Default Network.cfg: connection = { "Default", 131072, 65536, } player_name = "" server = { client_params = "motd=\"Welcome to Flaming Cliffs 2 server!\";", max_players = 32, name = "A-10C", client_outbound_limit = 0, pause_on_load = true, client_inbound_limit = 0, disable_events = false, integrity_check = { "Config/Weapons", }, } client = { history_size = 16, history = { "", }, mode = 0, } master_login = "" chat = { view_rows = 3, offset = 0, } The Developers are aware of this and working on a fix: http://forums.eagle.ru/showthread.php?p=1142609#post1142609 Where is my Network.cfg ? Windows 7: C:\Users\<USER NAME>\Saved Games\DCS Warthog\Config Windos Vista/XP: ...\DCS A-10C\DCS Warthog\Config Download: Default Network.cfg.zip Edited March 18, 2011 by PeterP 11
Legolasindar Posted March 18, 2011 Posted March 18, 2011 Thanks PeterP [sIGPIC][/sIGPIC] Cavallers del Cel - Comunintat Catalana de Simulació http://www.cavallersdelcel.cat
Pteradon Posted March 18, 2011 Posted March 18, 2011 Thanks for the warning. :thumbup: 1 Asus ROG Crosshair X870E Hero | Ryzen 9 9950X3D | G.Skill DDR5 Trident Z5 64GB | Samsung 9100 PRO m2 4TB | ASUS Astral RTX 5090 LC | TM AVA | TM Viper TQS | TM TPR pedals | WinWing Super Taurus | WinWing TopGun MIP | TrackIR 5 | Windows 11
PeterP Posted March 19, 2011 Author Posted March 19, 2011 (edited) USSR_Rik (ED-Team) Has confiremed that the security-leak is closed already in a Beta that is in Testing. < MY INTERPRETATION Если коротко, то пароль пользователя в network.cfg хранится в открытом, незашифрованном виде, что может создать потенциальную угрозу его (пароля) крадежа. Я (лично я как юзер и вирпил) не думаю, что это серьезная проблема, поскольку открывать в общий доступ каталоги игры и/или раздавать эти файлы направо и налево вряд ли кому-то придет в голову. А вот кстати, "заманчивый" мод какого-нибудь злоумышленника - тут да, опасность действительно есть и я с PeterP абсолютно согласен. Дырка будет заткнута и это правильно (собственно, она уже заткнута). Google Translate: In short, the user's password in network.cfg stored in an open, unencrypted, which could create a potential threat to it (a password) kradezha. I (personally, I like user and Virpi) do not think this is a serious problem, because it opens a shared directory of the game and / or distribute these files to the right and left is unlikely anyone will come to mind. But by the way, "tempting" modes of any intruder - then yes, the danger is really there and I absolutely agree with PeterP. The hole will be plugged and it is right (actually, it's already plugged). Edited March 19, 2011 by PeterP
RAF74_Raptor Posted March 19, 2011 Posted March 19, 2011 Thanks for the heads up I came I saw I got blown up by a SA-8:pilotfly: [sIGPIC][/sIGPIC] http://www.firstfighterwing.com/forums/content.php
ED Team USSR_Rik Posted March 19, 2011 ED Team Posted March 19, 2011 (it's translation of my answer to PeterP's post in russian forum) In short, the user password saved in network.cfg is not encrypted, that can cause potential threat to theft it. I (personally I as an user and virtual pilot) do not think that it's serious issue, because nobody will share their game folder. But I'm agree with PeterP, that there is danger in some "nice" modes. This vulnerability will by closed and it's absolutely right (actually, it's already closed). 1 Men may keep a sort of level of good, but no man has ever been able to keep on one level of evil. That road goes down and down. Можно держаться на одном уровне добра, но никому и никогда не удавалось удержаться на одном уровне зла. Эта дорога ведёт вниз и вниз. G.K. Chesterton DCS World 2.5: Часто задаваемые вопросы
PeterP Posted March 20, 2011 Author Posted March 20, 2011 (edited) Another Developer comment regarding the delivery of the encrypted password: All communication with Master is done via HTTPS/TLS. It is the storage login/password in local config file that was overlooked. But now it is fixed and after the patch, it will be stored in the encrypted form. I want to Thank the Developers for their input and the quick and open communication in this Case! Edited March 20, 2011 by PeterP
Antartis Posted March 20, 2011 Posted March 20, 2011 +1 rep. Thank for the warning. 1 Asus Prime Z-370-A Intel core I7-8700K 3.70Ghz Ram g.skill f4-3200c16d 32gb Evga rtx 2070 Ssd samgung 960 evo m.2 500gb Syria, Nevada, Persian Gulf, Normandy 1944 Combined Arms A-10C, Mirage-2000C, F-16C, FC3 Spitfire LF Mk. IX UH-1H, Gazelle
Renato71 Posted March 21, 2011 Posted March 21, 2011 Excuse my ignorance, but I'm not up to date with DCS-WH. However, I have to inform my buddies about latest developments, and I would like to ask for a clear (clear to me, hehe) confirmation: This security issue related to the latest patch, correct? And the latest one is 1.1.0.6? Thanks in advance. I'm selling MiG-21 activation key. Also selling Suncom F-15E Talon HOTAS with MIDI connectors, several sets. Contact via PM.
MTFDarkEagle Posted March 21, 2011 Posted March 21, 2011 Security-leak in DCS:Warthog 1.1.0.6 Yes, it's 1106 :) Lukas - "TIN TIN" - 9th Shrek Air Strike Squadron TIN TIN's Cockpit thread
PeterP Posted April 7, 2011 Author Posted April 7, 2011 Patch 1.1.0.7 for DCS: A-10C Warthog closed the security-leak. This Thread can be closed!:)
Recommended Posts