I'm not a lawyer, but I'm 100% sure, that it is not illegal in the Czech Republic, and 99% sure, that it is not illegal in the United States (SecurityFocus servers are in the US. And according to the whois database the aluigi.org is in Washington).
If it's true then it sucks, I agree.
The SecurityFocus maitains a database of vulnerabilities (and exploits, ... etc.). Almost all exploits can be found there. E.g.
http://www.securityfocus.com/archive/1/476516 (I hope, that it is ok now to put the link here). So they don't release the exploits, but the exploits can be always found here. Maybe I don't understand your question right.
Who is responsible for the bug in the software? The original author of the software, no doubt about that. Releasing exploits is important at least for two reasons:
1) The angry customers push the software vendor to release the patch. Notice, that in most cases the software comes with "no warranty", read Microsoft EULA, for example. So the customer has usually no rights to require a new version.
2) The customers are pushed to apply the patch.
At the end, it makes the world more secure (less unsecure computers available for spam robots).
The important question is when release the full disclosure to the public. In my opinion, the best practise is, that the author of the exploit and software vendor arrange the date of releasing the patch. And the exploit is released with the patch, or one day later. If the software vendor refuses to tell the exact date of releasing the patch, the exploit should be released after reasonable amount of time anyway. It's a hard way, but it's the way, that works even with huge software companies like Microsoft. What is "reasonable amount of time" depends on the situation, in LFS's case two weeks is enough, in my opinion. (...and the customers push the software vendor to publish the patch, the are pushed to apply it, the world is more secure then...).
The other question is, where to publish the exploit. I think, that the SecurityFocus's mailing lists and database is enough. E.g. I would _not_ support to give the link to the exploit (before releasing patch X11) here at lfsforum, did that happen? The point is, that system admistrators will find the exploit there (in Security Focus database) and they could defend against the kiddie scripter, even if the patch is not released (e.g to set a password on LFS server, in our case).
EDIT: Tons of posts were added until I finished this post, so maybe some of things mentioned here were already posted.
EDIT2: The big mistake is, that many people believe that a vulnerability doesn't exist until it is disclosed to the public (from Jason Miller's article).
Last edited by Kada_CZ, .
E.g. http://www.securityfocus.com/contact, new exploits appears here every day.
I suggest: moderators please create a new thread in the Offtopic section and move offtopic posts from here to the new thread. Every discussion about server bugs in x10 ends with this. To stay offtopic, as I wrote somewhere, I support full disclosure.
You're right, the atacker don't need the S2 account. If the server is protected by a password, then the attacker needs to know it (at least for published proof of concept). Both demo and S2 severs can be crashed. Please don't ask for details here.
There are four serious bugs in LFS server. Two of them allowing remote code execution (and remote crashing the server), the other two allowing crashing the server. The bug was reported 5th Aug, and since 14 Aug the proof of koncept has become available for script kiddies. I'm not going to give you any links, search for yourself, if interested. My recommendation is to set passwords on your servers, until it will be fixed. The server still can be crashed, but the attacker has to know the password. All of our public Actual Linux servers were crashed systematically. It seems to me, that all threads here at forum about this bug has been closed or deleted.
Last edited by Kada_CZ, .
Reason : a typo.
Ok, great. Note, before posting any code from mikoweb, contact the author. The code is not public domain.
I'm using Dev-C++, these properties can be set from gui or they are in [VersionInfo] in the .dev file. I'm almost sure, that VC++ is able to set these, I have no idea how, though.
You're right, sorry for the confusion
. I run LFS from some script and I forgot to pass the commandline parameters into my script.Stupid question, do you run: LFS.exe /insim=29999 (it doesn't work), or do you run LFS.exe and you type /insim=29999 inside LFS (it should work)?
I added the following code into the proxydll.cpp:
The "__declspec(dllexport)" could be different four your compiler. I think, that the "D3DPERF_SetOptions" is not the only function missing. Look for "D3DPERF_SetOption" in d3d9.h (from DX9.0c SDK).
__declspec(dllexport) void WINAPI D3DPERF_SetOptions( DWORD dwOptions ) {
if (!gl_hOriginalDll) LoadOriginalDll(); // looking for the "right d3d9.dll"
// Hooking IDirect3D Object from Original Library
typedef void (WINAPI* D3D9_Type)(DWORD dwOptions);
D3D9_Type D3DPERF_SetOptions_fn = (D3D9_Type) GetProcAddress(
gl_hOriginalDll, "D3DPERF_SetOptions");
// Debug
if (!D3DPERF_SetOptions_fn)
{
OutputDebugString("PROXYDLL: Pointer to original
D3DPERF_SetOptions function not received ERROR ****\r\n");
::ExitProcess(0); // exit the hard way
}
return (D3DPERF_SetOptions_fn (dwOptions));
}The "__declspec(dllexport)" could be different four your compiler. I think, that the "D3DPERF_SetOptions" is not the only function missing. Look for "D3DPERF_SetOption" in d3d9.h (from DX9.0c SDK).
Yes. In 9.0c microsoft added some functions, that are exported from dll (only one function is exported in 9.0a, "d3ddeviceCreate" or a similar name). I had to add wrappers for these for Test Drive Unlimited. I don't remember the names now, I'll post them later. I wrote about it to the author of the original proxy, but I got no answer (he is busy person).
The error codes are defined (for C programming language) in the "winbase.h" file. You don't have to understand C, just search for the code in this file. At least it gives you another word to put in google 
. I attached the file (the version from Dev-c++, I belive, that the file is public domain).
I had to rename the file to "winbase.h.txt".
. I attached the file (the version from Dev-c++, I belive, that the file is public domain).I had to rename the file to "winbase.h.txt".
Try
before including any header. Maybe you could include "d3dx9tex.h" then.
#define DIRECT3D_VERSION 0x0800before including any header. Maybe you could include "d3dx9tex.h" then.
I think, that narcis (and me too :shy
would like to retrieve handicap mass and restriction. This information is already in the hotlap SPR file header (bytes 28 and 29), but it would be handy this to apear for example in get_stat2.php?action=hl. Usually it doesn't make sense to apply voluntary restrictions in hotlaps. For our Czech league, we use hotlaps from lfsworld to divide racers into several divisions and we would like to be able to easily check required restrictions for some car. I hope it makes sense now .I know, that this is not improvement suggestions forum, but this feature would be very helpful for our Czech league also. It is possible to create a workaround, download the SPR for every racer and read the handicap info from the SPR header. But this can't be used in a "live" script, it would consume too much traffic.
If the debugging output is the problem try:
WINEDEBUG=-all wine LFS.exe
Also, as written here, you could use Xvfb X server, if X needed. Here is a script, that I use:
#!/bin/bash
Xvfb :1 &
pid=$!
export DISPLAY=:1
WINEDEBUG=-all wine ./LFS.exe /cfg=setup.cfg "$@"
kill $pidYou can put screen/nohup around when it is started.
As yankman wrote, there are no such problems under Windows. The ALeRT servers had these problems in the past. But now they run without any problem, we have every monday league races (70-100 racers on four servers) and they runs perfect. Thus I think, that it has to be something in the wine version/configuration.
Last edited by Kada_CZ, .
Reason : a typo..
I was surprised, that LFS dedi uses some TCP connection (I thought, that it uses UDP only). It is probably to the LFSWorld (statistics, PBs, ....), right? I'm just curious .
.I'm 99% sure, that the problem is in Wine, not in LFS. Try to use the latest version, 0.9.39 ATM.
Hello, I found:
in the log of our league server (dedi X2). The server has "/insim <port>" line in its configuration, but no insim program was running during the race (actually any insim program never runs on the server). The error message is in the middle of the race. The replay recorded by the server. The server runs on linux, wine (I don't know the exact versions of wine ATM, but I can find it, if anyone interested).
I don't know exactly in which moment the error appeared, in the log it is between:
(lap 5)
and
(the leader is in the middle of lap 8).
TCP ERROR : WOULDBLOCK
TCP : Cleared emergency storein the log of our league server (dedi X2). The server has "/insim <port>" line in its configuration, but no insim program was running during the race (actually any insim program never runs on the server). The error message is in the middle of the race. The replay recorded by the server. The server runs on linux, wine (I don't know the exact versions of wine ATM, but I can find it, if anyone interested).
I don't know exactly in which moment the error appeared, in the log it is between:
Fastest lap : 2:15.27 by alfa ^v o. murín^L (FXR)(lap 5)
and
TKS^vUhrin^Ečat^L disconnected(the leader is in the middle of lap 8).
I downgraded the graphics driver from ForceWare 81.98 to 61.76 and the problem disapeared (I'm still using patch X, not X2). So I think, that the bug is in the nvidia drivers, not in LFS.
You're right, but these fuctions with a common code could be short (e.g. one condition) and the situation could get more complicated, when you bind the same function to three and more events. Anyway, its more about individual coding style than a functionality missing. I'm just guessing the examples, maybe A.Fedorov has already a better one.
E.g. you bind the same function to several events. Sometimes it could prevent you to create duplicities of code:
In the current version you would need two functions with almost the same code. On the other hand, I don't think, that this is one of the most important features missing. But good to notice for the future, though.
function RST_and_LAP (event, imsg)
common code for rst and lap
if (event = ISP_RST) then
rst specific code
end
another common code for rst and lap
if (event = ISP_LAP) then
lap specific code
end
yet another common code for rst and lap
end
evt_bind(ISP_RST, RST_and_LAP)
evt_bind(ISP_LAP, RST_and_LAP)In the current version you would need two functions with almost the same code. On the other hand, I don't think, that this is one of the most important features missing. But good to notice for the future, though
.IMHO, if player takes BF1 and he/she doesn't set the restriction exactly to 18% and "added mass" to 53 kg, then the player is forced to spectate.
I think, that this is perfect example of the LUALfs, really easy to use
. I hope, that I get some time to test the latest version.The LFS usernames are in MPR file header, but in an undocumented part :-). I wrote a program, that prints LFS usernames from MPR (finished order). Also players, that didn't finish are parsed by the program, but they are not printed. The C-sources are in the attachement (GPL licence). I have no idea, if it works when player gets false-start-spectate....
I can write some description of the mpr header, if my C code is too cryptic for you ;-).
I can write some description of the mpr header, if my C code is too cryptic for you ;-).
Last edited by Kada_CZ, .
FGED GREDG RDFGDR GSFDG