NOTICE: The wiki has undergone updates and everything is running smoothly. I am still working on the CSS so there are a few minor visual kinks.

From JAWiki

[edit] 'Info Boom'

This vulnerability is a glitch in Jedi Academy's network protocol. If an info request is made which is too big in size, the server will get a buffer overflow, resulting in a crash. This glitch can be exploited with the program called q3infoboom, by Luigi Auriemma.

• Most servers have been protected against this glitch by now.

[edit] Chat Buffer Overflow

This vulerability lies in JA's chat processing code. If a chat message is sent thats over 1024 characters in size (the console holds up to 256, so you need a script), the server will crash when attempting to display the chat message in the server console.

• There are a few mods that fix this bug.

[edit] Spam

It is possible to literally spam players out of a server (only if floodprotection on that server is disabled). This is done by rapidly sending more than 128 chat messages to the server. Jedi Academy's command buffers are limited to 127 messages, if the command buffer of a player (server-side) goes over this 127 limit, this person is instantly kicked with the message 'Server Command Overflow'. But, since this limitation is also present at client side, its not too easy to pull this off without either spamming yourself out or crashing your own game (the server kicks you if you go past the limit, the client locks up...).

The way to protect yourself againt this is by turning flood protection on.

[edit] Allow Downloads

There is one major design flaw in JA's download system. It is possible to start a download session manually and download any file you want, including server.cfg, which contains all passwords. There are ways to prevent this, however.

• The easiest solution is to disable downloads off.
• Another fix is to rename your server.cfg and store it somewhere safe, then upload an empty jampserver.cfg to the server, and make it readonly, that way it will stay empty, and unless the hacker can find the new location of your server.cfg, he wont be getting your passes.
• In conjuntion with the above, you can also specify your passwords in the command line used to start the server.

[edit] Fake-Player Denial of Service

This attack, commonly done by a program called q3fill (by Aluigi Auriemma), sends a stream of forged connection requests to the targeted server, causing the server to fill up with dummy connections, preventing legitimate players from joining.

By default, it takes the server 5 minutes to realize the 'players' are dead and kick them. This can be changed by altering the sv_timeout setting (300 by default).

• To get rid of a fake player denial of service, get the IP of one of the dummy players (they all have the same IP), and ban it

Then change sv_timeout to 5, wait a few seconds, and change it back to 300. By changing it to 5, the server kicks all inactive players after 5 seconds, which will normally kick all dummys immediately. Some mods also have to ability to block multiple connections from the same IP to effectively prevent this attack.

[edit] RCON Blocker

This exploit abuses rcon's flood protection.
To prevent brute force attacks from being used to acquire the RCON password, there is a 0.5 second delay after an RCON command before another one will be accepted. An RCON blocker exploits this by flooding the server with rcon commands, preventing legitimate ones from getting through.

• The simplest way to defeat an RCON Blocker is to bind your rcon command to a key (in the game), and to hold the key down until it gets through.

[edit] Chat "Hack"

This exploit allows players to "make" other players say things they have no control over. In reality, it abuses the space and text in the game to allow for is.

• To find out if someone actually said what they supposedly said, type something immediately after the said person says something. If your text overlaps the alleged fake text, they did not say that. Also, logs are very useful in this situation as there will be no time stamp next to the text, or the text may not even appear at all.

[edit] Skin "Exploit"

This simple exploit uses custom skins (the ones that show the head then a white and gray body) to discon people using 2 different scripts: A lag script and a bypass script (both can be easilly made and therefore not openly avalible).

• The best way to stop this is by simply not allowing custom skins...because it is hard to tell if the person is using this exploit (because custom skins are somewhat popular). If it is certain that the person is using this exploit, ban this person immediatly...as once he is caught, he will probably leave before you get a chance to ban him.

[edit] Server "Take Over"

This hack is rare, and is not yet fully known...basically a user that uses this hack can easilly take over a server by locking all admin commands and allowing himself to use them without any passwords, this person can also change server setting and clear Banned IP lists, even delete other admin accounts.

• There is currently no patch or script to counter this hack, however the hack is rare and very few use this hack.

[edit] Other "Hacks"

Hacks like "Aimbots" "Score Modifiers" etc are commonly used and easy to find, These are not taken seriously since they do not change or alter any important information or crash anyone, which is why some server do not have any rules involving these hacks.