Filetransfer exploit?

[Roundie]

I have two TS3 servers with Hypernia. One I've had for a year, the other for about a month.

I get an email from them a week ago to say they are moving servers to a more secure box. A pain in the backside, but ok, these things happen. After moving the latest server from a competitor and going through the setup(which was very customized and took 3 hours of my life) I was a little put off but thems the breaks.

So we get our new servers on the new (more secure) box. I go in to customize them again only to find out you cant upload avatars. I raise a ticket and get a very polite answer to say that its due to a security glitch with TS3 that we cannot upload avatars. Ok, not Ideal, but again, thems the breaks.

I then go to assign custom group icons and channel Icons and find they are disabled too! another ticket and I am told that its the same engine that runs uploads (avatars and icons) also allows an exploit (which I shall not list, as again the few ruin it for the many, and I don't want to encourage it).

I then got the most mindblowingly rude answers from their support. 1st of all, apparently its TS' fault this exploit exists and until they fix it they can't re-enable the function. Oh yeah, even if it gets fixed, they "might" re-enable it.

2ndly apparantly, according to this ultra professional support person <insert sarcasm here> Hypernia sell TS as "just" a VOIP system, and none of the features. I strongly disagree with this, as VOIP systems are a dime a dozen, and its the features in fact that make people use TS3.

I claim I am not receiving the product I am paying for, as they have reduced the functionality they offered before.

My Questions are :

1) Dear TS, have you got an ETA on a fix for this exploit? As I was told by Hypernia you have given no information.
2) Am I the only one that feels like this? I have not been in a TS server that does not have some custom rank icons, channel icons or avatars. At minimum a combination of those.

Thanks

(a very frustrated) Roundie

[dante696]

They turned of the filetransfer for you guys. That is all what they did, but there is no exploit for avatars or filetransfer in general.

[Roundie]

Not correct Dante. As of Friday they have turned off all uploads. including Avatars and icons.

I have their support tickets to prove it. they have told me they have turned it off to stop an exploit that is costing them thousands of $. They are saying they will not enable it again until TS fixes the exploit.

The error I get when trying to upload an avatar is : <10:58:15> Transfer "avatar" reports: (could not open file transfer connection)

When I click upload on the icon screen nothing happens. its like you didn't even try.

This is on a brand new server install with no customization yet.

Essentially all they offer now is a basic install with some server group and channel creating. no bells and whistles...until you fix the exploit apparently.


Roundie

[dante696]

So my anwser is correct, i said they turned off the filetranser and you repleid ,they turned it off. What is the problem then?
There is no exploit in our filetransfer system (Avatar and icons are alos filetransfer features)

I would say the hoster is lying to you and don't want to investigate traffic into your servers.

Your hoster could be so kind, to tell us about that exploit, if this really exists.

[Roundie]

I was told file transfers and uploads are different engines. They have had file transfer off for ages, but we could still upload icons and members could upload avatars. Now we are unable to do so.

The exploit they are saying is (please edit this post if you do not want this on your public forum, I have been trying to avoid posting it) is thats if upload is enabled, users are able to manually increase the seats of their servers, regardless of what they are paying for.

True? or false?

Roundie

[dante696]

Definitely false > Upload and Download has nothing to do with virtual server setting.

The permission [B]b_client_use_reserved_slot/B] does manage the ability to change the slots for a server.
The permission is enabled by default and needs to be removed from the server admin group or the server admin template group.

edit

[Roundie]

Hi Dante,

I appreciate you answering these posts.

This is directly out of a ticket from Hypernia to me as I'm not sure I am being very clear :

"We have had to disable the uploads due to exploits in the teamspeak 3 engine that was allowing clients to circumvent their slot count and enable unlimited upload space.

The teamspeak engine that allows for the upload/download of files is the same engine that handles the icons/avatars and as such once we disabled the engine to cover the exploits it also disables the avatar/icons.

Unfortunately until Teamspeak 3 is able to secure their software further there is little we can do other than to disable the engine as a whole."

Roundie

[Roundie]

and another reply just in from Hypernia in regards to the post in this forum.

"Correct, the entire way this was being exploited was by the file transfer setting, which was why it has been currently shut off. If we had any other way to currently deal with this, we'd clearly take that option as this wasn't something we wanted to do as it is an inconvenience.

As my manager previously stated, "As it stands there is honestly no alternative currently available to allow for the custom icons, however once the TS3 product becomes more solid we will certainly be considering re-enabling them and likely even opening up file transfers as an addon option."

Unfortunately, there isn't anything else we can currently do or provide past that. If you have any further questions, feel free to let us know.

Thank you"

Roundie

[dante696]

I repeat there is no known exploit for filetransfers.
Really there is no exploit.
Please tell your hoster to send us the how to for that exploit.

[Roundie]

Hi Dante,

I have forwarded this thread to Hypernia via my open ticket.

Regards

Roundie

[SilentStorm]

It sounds more like they had someone upload huge Files on some Server (not necessarily yours), filling up their hard drives and consider it a bug in TS3 that they cannot limit the amount of space of all uploaded files, where it is just a missing Feature (which got requested and rejected a couple times already).

The permission b_virtualserver_modify_reserved_slots does manage the ability to change the slots for a server.

That Permission only allows to change the reserved Slots which is independent from the slot count (# of clients allowed on server).
The Permission to modify the max. Clients is b_virtualserver_modify_maxclients which should obviously be removed from Servers that are going to be sold / rented.......
Without that last permission there is no way to change the slots.

[Roundie]

I agree Silent.

They however told me they will no longer discuss this with me. I should just lump it a keep giving them my money for an incomplete product. They are adamant that the above mentioned exploit is there and stand fast that Teamspeak probably do not want to admit it publicly.

While this is a possibility, we, the end users, are the one ones getting crewed while the people making money are blaming each other. Very frustrating. especially as I have two TS3 servers going and love the product. I would move tomorrow but the time it takes to customize our servers is draining. especially seeing I only just brought the second server over 3 weeks ago due to bad service and constant dropouts from a competitor to Hypernia.

Seems the joke is on us.

Roundie

[dante696]

They can not provide anything about that "exploit" and do not wan't to contact us to fix that?
You should quit from that hoster and use another instead. We are sure, that there is no exploit to change the slots, when filetransfer uploads are available.

[Roundie]

Hi Dante,

I really appreciate you answering this thread.

The situation is like this. Hypernia are saying they have contacted you guys with the exploit when they discovered it (they are saying this was in the past few weeks). Teamspeak is saying you have not heard from them. Meanwhile us, the end users are sitting here, looking at a product with great potential, but part functionality.

I know moving to another provider would be ideal, but finding a reliable host in Australia is proving problematic.

I have found other providers through this forum, that are Australian owned and operated, but as most thing here in Oz, they seem to charge almost double to what Hypernia or other big players do. They also seem quite small, so you don't know how good the infrastructure will be.

So i guess until teamspeak and Hypernia start a dialogue, their customers are pretty screwed. They don't want to to talk about it with us anymore, and you are waiting for them to contact you (which they said they have).


(stuck between a rock and a hardplace) Roundie

[maxi1990]

This thread was issued on November 13th 2011: http://forums.hypernia.com/index.php?showtopic=2379
The other user is talking about security, legal problems and high server loads very commonly as he does not go into detail.

Either this "security exploit" exists at least since then or they've just come up with new excuses to prevent their users from using filetransfers.