WebMod is "an open source MetaMod plugin which acts as a web server for Half-Life running on the equivalent TCP port of the UDP one used by the game". Multiple vulnerabilities have been discovered in WebMod, these allow remote attackers to crash the server as well as cause it to execute arbitrary code.
Directory traversal
WebMod uses an anti-directory traversal check which searchs for any "../" pattern in the HTTP request of the client. So it's enough to use a "..\" pattern to bypass the check and being able to download any file from the disk where Half-Life is running included the configuration files of the game server (like ..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). Note that this bug works only on Windows servers.
From server.cpp:
void clientHandle(int connfd, httpquery_t *query, int tid)
...
if(strstr(str,"../")) // hack attempt, display index page
{
str[0]='\0';
}
Cookie buffer-overflow
A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a stack based buffer-overflow.
parser.cpp arbitrary memory writing
The functions in parser.cpp are affected by some memory corruption vulnerabilities with different effects depending by the type of variable/script used. In short a value longer than MAX_FILE_SIZE (16384) bytes can lead tothe writing of custom data in a custom memory address through strcat (auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory access (the rconpass parameter of auth.w) and so on.
Scripts source disclosure
Adding a dot at the end of the requested URI allows the viewing of the script source code instead of executing it. This bug (which should work only on FAT/NTFS filesystems) can be considered a security vulnerability ONLY if the server runs custom scripts.
