Monday, 14 April 2014

Troubles with chat spam via webadmin

Do you consider double-switching annoying? Sure, it spams the chat window and makes you miss potentially vital game information. Fortunately, solution is easy - kicking or even banning the abuser. However, a more insidious way of disrupting the chat flow is out there. As primitive as it is, it is also very effective in achieving its malicious goal. It affects only servers running MarkMod and only players with admin rights and webadmins.

MarkMod broadcasts a message to these people whenever someone attempts to login via webadmin. If the attempt is unsuccessful, the message looks like: Player (WebAdmin) failed to login as webadmin followed by his IP address. Now when the attacker chooses very long name, the chat will look like this:

Too bad this message cannot be turned off. Neither you can easily ban this player, and even if you could, he can still come back via proxy. WebAdmin form also seems to miss validation of input fields for maximum length. So what's left to try? Changing webadmin port and keeping it private could hold the attacker back for a while. But without the option to switch this broadcast off implemented in the mod, all servers running it are at risk.