CVE-2011-3012

Name of the Vulnerable Software and Affected Versions ioQuake3 engine versions prior to the version used in World of Padman 1.2 World of Padman versions 1.2 and earlier Tremulous version 1.1.0 ioUrbanTerror version 2007-12-20

Description The issue allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file. This is achieved by exploiting the engine's failure to check for dangerous file extensions before writing to the quake3 directory.

Recommendations For ioQuake3 engine versions prior to the version used in World of Padman 1.2, consider restricting access to the quake3 directory to prevent arbitrary code execution. For World of Padman versions 1.2 and earlier, restrict the installation of third-party addons to minimize the risk of exploitation. For Tremulous version 1.1.0, avoid using third-party addons until a fix is available. For ioUrbanTerror version 2007-12-20, consider disabling the ability to write to the quake3 directory as a temporary workaround.