I just realized that for my server I can always connect to the admin console through telnet, and it doesn't even ask me for a password. I thought at first that this was due to my ip being in the remotes.txt, but telnetting from a different machine still gave me full immediate access. My server is offline in the meantime, can anyone confirm/deny this? Is it a bug? Misconfiguration?

Known bug ... for a while now.

get the newest version, 2.2.6. This was a bug that 3nesce had me relay to MM to have it fixed in the last version.
http://www.soldat.pl/downloads/soldatserver226.zip

Thats odd, I was sure I was running 2.2.6. Oh well, is this what I should be seeing:

[code]Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Soldat Admin Connection Established...
Admin connected.
Invalid server password. Cannot login.[/code]

is it fixed now or what?

Well thats what happens when I telnet to localhost 23073, is that the standard activity for just a telnet to the server?

that text in your previous response is what it should be, yes. It is a little akward that the Admin connected. displays before authenticating the connection, but not a critical point. In previous versions, random people could gain control of the server by telnetting and attempting to login 2 or 3 times with no password, that is what SpecialK and I were referring to. your paste is normal and secure

Its not fixed really.

Grab Tanks Script, it will protect the adminport from such things, it doesnt let you do anything or see anything untill you put in a valid password, among other things.

http://www.soldatforums.com/topic.asp?topic_id=17226

why do you say that it isn't fixed?

quote:Originally posted by FliesLikeABrickwhy do you say that it isn't fixed?


Try this, get someone to telnet in, dont type anything, get someone else to telnet in and auth. The first person is often left with admin. Its a single admin interface that unfortunately doesn't keep track of who actually sent the correct password.

I haven't retested in a while but I'm guessing the admin interface is still designed around a single remote admin and hence has this problem and hence my suggestion for the iptables + monitor script buggery.

I am 99.9% sure that MM fixed this in the most recent server version. I mentioned this to him with a couple other people while 2.2.5 was out, and I'm pretty sure 2.2.6 fixed it.


edit: i just tested it on a couple servers running 2.2.6.


this is a serious bug for anyone running a server on an older version, especially now that it is public. I strongly suggest anyone else running an older version upgrades ASAP.

with 2.2.5 and 2.2.6, when an admin connects, if they dont supply a password within 2 or 3 seconds they are disconnected...