CVE-2006-3325

Name of the Vulnerable Software and Affected Versions id3 Quake 3 Engine version 1.32c ioquake3 revision 810 and earlier

Description The issue allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl allowdownload for Automatic Downloading and fs homepath for the quake3 path, via a string of cvar names and values sent from the server.

Recommendations For id3 Quake 3 Engine version 1.32c, consider disabling the cl parse.c file functionality until a patch is available. For ioquake3 revision 810 and earlier, restrict access to the vulnerable cvar variables, such as cl allowdownload and fs homepath, to minimize the risk of exploitation.