I have just checked the Icculus SVN repository where has been fixed the problem and there is also a link to the original bug report by a certain /dev/humancontroller dated 8 April 2008:

http://bugzilla.icculus.org/show_bug.cgi?id=3593

that's boring because now I need to modify the credits in q3cbufexec... uff

here on jamp.exe 1.0.1.0 works perfectly, it's only needed to use a command like the following:

callvote timelimit "123;rconpassword none"

because map, kick and g_gametime did nothing in my tests

with a bit of luck I have found a way to fix the bug on almost all the Windows versions of the vulnerable games.
in fact the Cbuf_ExecuteText function has a pattern which is practically ever the same on Windows so has been easy to add a set of instructions at the end of the .text section which scan the input text for the 0x0d and 0x0a chars (';' not because it's useless in this case and in that function it's used also for valid commands).

in my opinion the best place for adding that set of instructions was probably SV_ExecuteClientCommand where it was useful also to avoid the usage of these bad chars in other commands like "say" (where they are used as an annoyance) but there are tons of problems for finding that function in all the various games (if it's not universal it's not good).

at the moment the patch is in beta testing and requires at least lpatch 0.4.3 for being applied:

http://aluigi.org/mytoolz/lpatch.zip
http://aluigi.org/patches/q3cbufexecfix.lpatch

please refer to this thread for comments and suggestions

yeah sv_allowdownload 0 ! allowdownload is just an open door for every wnb hacker, there is no positiv side on this cmd for an server owner :P

I have a fix from ESL Forum:
Fix Linux:
- MSGBOOM fixed (appears some french sentences and calls a vote for kicking "crasher"
- Forcestring (calls vote for kick)
- Callvotebug (say's "noob hacker", and nothing happens)

http://rapidshare.com/files/198122644/j ... 6.zip.html
hf

PS: Creator told me that there might be some slow damage differents, but i did not realised anything.

http://esl-fr.verygames.net/jampgamei386.zip

The archive is damaged and Winrar's repair doesn't work.

Got another link?

this is just an opportunity you can use to make senseless the callvote bug, without decompiling or making modded dlls
What you need is just your jampded.exe file, or linuxjampded + a hex editor

both server files with common changements are in the end of the post.

You open the editor (i use XVI32, it s free, the link is in the end of the post)
then you have to find a text string with rconpassword variable name.
Now you have to change the name to smth like yrhiuahfeerd.
IMPORTANT: new name must have the SAME length that the string "rconpassword" (12 chars)
Then you save the file and your jampded or linuxjampded is now patched.

How it works:
In cfg your server runs you have to replace 'rconpassword' by 'yrhiuahfeerd'. So now your admin password will be named 'yrhiuahfeerd' and not 'rconpassword'
When someone is trying to call a vote, ex
callvote fraglimit "0; rconpassword 123"
the fraglimit will be set to 0, and all players will see a saying

server: rconpassword 123

as far as there is no rconpassword named variable, the server will interprete it just as a saying. So by the vote initiator it s easy to devine, who is trying to hack the server :)

Surely, they still can get your admin password (change it via vote etc) BUT they have to know the name of the variable, defining admin password, which is really hard to do :)
Also, every attempt to devine the name will be shown to other players, as I said before.

also, the guys who know the true admin password can still manage admin commands like before, e.g.

/rconpassword <adminpassword>
/rcon status
/rcon clientkick 0

But that is not all. If you downloaded and worked with a file in the attachment, I've already done the following things in it, so you just skip the final part, but if you edited your own jampded/linuxjampded you ll have to do an additional job
It is to remove /quit, /killserver, /sv_killserver, /sv_allowdownload commands. Just find them 1 by 1 and replace their names by spaces.
Now the 'clever' guys who will try to download the cfg will fail, also they wont be able to kill server via voting.


PS when you replace your jampded/linuxjampded file on server do not forget to change chmod for it, so it will be allowed to be executed.


SO, to sum up:
1. Edit the linuxjampded/jampded (rconpassword must be replaced with your own string; quit, sv_killserver, killserver, sv_allowdownload should be removed - filled with spaces)
2. Edit your cfg so the 'rconpassword' will be replaced with your custom name you selected in the first point
3. Enjoy your playing




PS It is NOT the mod anyhow and dont say 'omg lolmod i wont play esl there fu'


FILES

Jampded (for windows) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable
http://punk666.pu.ohost.de/serverfix/jampDed.zip

linuxjampded (for linux) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable
http://punk666.pu.ohost.de/serverfix/linuxjampded.zip

xvi32 - free and small windows hex editor (if you havent one)
http://punk666.pu.ohost.de/serverfix/xvi32.zip

................... http://www.for.bplaced.net/include/downs/downloads/jampgamei386.zip