M1 | M2 | 055 | 001
|Summary:||Wad Hashes aren't always checked clientside|
|Product:||Odamex||Reporter:||Maëllig Desmottes <Ch0wW>|
|Component:||Server & Client||Assignee:||Odamex Bug Reporter <odamex-bug-reporter>|
Description Maëllig Desmottes 2019-01-25 16:45:34 UTC
When trying Freedoom 0.11.3 on my server, I noticed my client who was using Freedoom 0.9 was able to connect with no issue at all, while it was seriously outdated. As a result, it messed up the client view completely. Adding the MD5 hashes to the client & server didn't fix anything. This is a huge security flaw, making any client with slightly modified IWADs be able to mess with the clients (or the other way around). Apparently, it was done in the past, but I don't seem to check anything about it in the source code. Is it entirely normal ?
Comment 1 Maëllig Desmottes 2019-01-25 17:57:08 UTC
Steps to reproduce : 1) Create 2 folders: one for the client, one for the server. 2) on the server, add Freedoom1.wad version 0.9 (easier to notice since maps are different) . Clientside, add Freedoom1.wad version 0.11.3. 3) Create a server (using the default config is enough) with Freedoom1.wad 4) Client should run it like that : Odamex.exe -connect localhost The server accepts the client even if the IWAD is different. HOWEVER, If you try to join using Odalaunch, it'll throw an error.