Setting realm name in config.wtf bypasses "allowedSecurityLevel"
Setting a realm in the database to 3 under "allowedSecurityLevel" currently does the following:
- Makes the realm appear offline to those below the security level... That is all!
This can be bypassed with a simple edit to the config.wtf and adding the realm name (which you can get as it appears as offline in the list.
Two things are needed to fix this.
- The realmlist being sent should be checked, i.e "allowedSecurityLevel" should be considered by realm-daemon before sending the realm list to the client.
- If they don't meet requirements no need to send the realm name/ip or data to the client.
- Mangos-daemon should double check incoming clients GM level.
I suggest that any non-GM user attempting to connect / login to a security protected realm be treated the following:
- Not have permission to create characters - Be told character creating is disabled.
- If characters exist they should be sent the "world server down" message (preventing them logging in).
- Kicked or gracefully disconnected after 30 seconds by mangos-daemon.
Please discuss 
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now