Cronwerks MCCode/MCCodes Forums

There needs to be a well written security thread made for Mccodes. I think it should be here.

It needs to be easy to read and in terms that new developers can understand.

Issues that need to be addressed.

Multiple Accounts.

Referral exploits/cheat.

Form exploits.

Injection Attacks.

Attack exploit/cheat.

Securing SQL query.

Securing Login, register, authenticate, header, globals, forums, signature, shoutbox, etc.

I think the information needs to be readily available here.

I agree, I will be adding an area where we can all tackle the mccode bugs soon enough =)

that sounds cool as security is my down side at the min i.e not sure where to start

The problem with this is.


To post security holes and fixes you must inform users just how the security issues are done.  Which opens the board up to a wide range of users that now know how to hack or learn from it.

If one was to take the time to browse all forums and google there are many many helpful related threads on how to secure your site.

However, securing a site well is not easy.  Securing a few hacks is simple, but what's to stop someone from writing a new one?  It's done daily I assure you.

I have about 29 hacks in my notepad and that is nothing compared to some people I know.


Secure all GET/POST variables.
Secure your Session using either htaccess,congif or globals.
Secure the $IP variable
Slap a password Protect on your staff panel hash it.
Maybe add an extra table in users like I did that is for staff passwords.  If the user is logged in staff panel and their password table is blank, or not the right password, it auto feds them.

There are many things to do to secure a game, that's why I charge money :p It really is work.

Search the internet "Secure Mccodes"

You'll find plenty of places exposing the security exploits, some kinda helping in a half ass way, others just laughing at the folks asking questions, and even worse, many posts saying search for "secure mccodes"

IRONIC

A good security thread is needed. And that is my point.

Use cronus multipull logins, itll logg people out after 15 mins, and everything, just brill

dev-forum.net has good security tips as well as a few on makewebgames.com

Use cronus multipull logins, itll logg people out after 15 mins, and everything, just brill

Again, you fail to see my point.

dev-forum.net has good security tips as well as a few on makewebgames.com

Yet another pointless security thread that tells you to search other threads.
You also fail to see my point.

In my opinion. It's extortion. I've seen it with my own eyes. People posting "help me secure my game"

Being fed security information that is outdated, shoddy, or just false. Followed up by a "I'll help you secure it for X amount of dollars"

My point is, stop the extortion, give out the security patches for free, and further the development and greater good of the game engine.

I'm working on securing Lite, and I'll be more than glad to post reliable information here as soon as I learn it.

It is a shame my ability is not as good as people who already know how to secure the game engine. But, thats ok. I will do my best to find the up to date patches and educate the new users of the engine. I've read a good 100 security threads over the month, and have a lot of the junk and bs filtered out.

I just want to make it easy for everyone to get the engine secure and have the knowledge publicly available HERE. That way people know it's coming from the source and can have more trust in knowing the information is accurate.

It is completely appalling that a newb like me has to take on the task of securing this engine, especially since there are guys out there with ten years + experience that could easily explain the fixes.

Let's educate instead of extort.

Probably boost the sales of the game engine too!

Thank you for your time.

Yes, because I want to boost the sales of the game engine a.k.a my competitors.

You are missing the point.

There are no "patches" to secure a site

That's why it's just stupid to post fixes for known hacks.

Their will be more.

Secure Your site the hard way, or don't own a site.  In all honesty, that's the way it should be and has to be.  I can go through your site in 10 minutes and fix all "known" hacks that people use.

But in a week, there will be 10 more.

You need to grasp the concept there is no quick fix or "patch".

Yes, because I want to boost the sales of the game engine a.k.a my competitors.

You are missing the point.

There are no "patches" to secure a site

That's why it's just stupid to post fixes for known hacks.

Their will be more.

Secure Your site the hard way, or don't own a site.  In all honesty, that's the way it should be and has to be.  I can go through your site in 10 minutes and fix all "known" hacks that people use.

But in a week, there will be 10 more.

You need to grasp the concept there is no quick fix or "patch".

No shit sherlock. There is no quick fix, and I never claimed there is one. Oh... but you're in on the extortion racket anyways. "I'll help you fix it for X amount of dollars"

You make me sick.

Extortion Racket?

News Flash.

Any large company pays people to secure their businesses.  It's ethics.

I'm not going to take time out of my day, you know, that thing that puts diapers on a baby.

to sit here and explain to 1000000 kids how to secure their site for free.

For one, I dont want to spend 5 days typing a write-up out that people wouldn't read anyways because they just jumped into some mccodes engine thinking hey i'll make a quick buck off my illegal version of mccodes.

For Two.  If you arent willing to spend money on your site, it'll fail anyways.

For three.  I have my own site to run and my own business to run which so far my customers are kept happy.  Some of which frequent these boards.

So before you get all Preachy, perhaps you should look at both sides of the fence.

It's not my job to teach PHP to kids, i'm not a teacher.  I help when I can, and oh, i release free mods when I can.

But i have a life, a wife and a daughter, Helping out 12 year olds for free doesnt put diapers on the baby or food in her belly.

For further information.

I do post a bit of stuff on my own personal site for my users.

Cronus, if this is against your rules just remove this

http://www.immortal-darkness.com/Forums/index.php?topic=41.0 (http://www.immortal-darkness.com/Forums/index.php?topic=41.0)

I could give you 2 personal and 1 worldwide function, that will secure from HTML, PHP, JS, and css hacks i think, the other one will  strip links being inputted, and the other will strip mettas

i have to say i agree with ImmortalThug on this issue
by time you fix something there is 20 more things broken 
if helping secure a site for money is extortion in your eyes what about the half dozen mods people are paying money for that come already broken n they do not give you the kinda support  Immortal does he has been helping me immensly with learning as i am a noobie and still learning
with every mod i have purchased from him comes with support you could only wish for from any dealing for FREE!!!!!!

i would gladly pay him what he charges to secure a site is wayyyyyyyyyy cheaper than most are charging
being a mother of 3 here i see the point he makes about the diapers and food
securing takes time and work any normal job pays you for your time why can't  he ?

he  helps for free alot also which he doesn't have to and i wouldn't if i were him
why to help people like you that do not appreciate and are ungrateful for the time and efforts that go into the things done for them no  way not me i would charge ya so much you would not even bother askin for my help and why because i can if i want to
i would pay to have mmy site secured you know why ?
cause it saves me the time ,effort and energy of having to do it myself
if you do not wanna pay then don't it is not like someone is holding a gun to your head making you
there are plenty out there like me who just cannot be bothered to even try that is why people pay
people pay for mccodes engine even with all the security holes
and for v2 it is $300.00USD  that in my opinion is it is  extortiion
paying that much for something already broken to begin with

i say if you can get paid for  doing the work no one else wants to do go for it
we do not have our mommies or daddies paying our bills any more
we live on our own and have families of our own to care and pay bills for
so until you have the worries we do
and you have to even pay your own rent or buy your own groceries
you may think yeah i will do it all for free which do not get me wrong is a very nice gesture
but
i can tell you now once you have them worries your tune will change

all the power to you ImmortalThug if ya can make a buck for all your hard work and time that takes away from the time you could be spending doing something you really enjoy i say make that buck n i would too!!!!

Thank you Red, you said quite a lot.

I just hope some of these people understand my point.  There is no quick fix for mccodes.

See the Link I added for a little help.  Again, I don't mind helping where I can, even for free.

But to post false hope security mods that "secure your whole site" is not only moronic but unethical.

There is no "fix all solution"

Secure your $_GET and $_POST input and output.
Secure your $_IP
Hide your mysql errors with class.db files.
Stop Session Hijacks.

to many to list...that's just an idea of what REALLY needs to be done.

every forum i visit people ask the same thing

make one thread!

So threads are made...they arent helpful, then later someone posts the same thing again, MAKE A THREAD

Then when you direct people to that forum, they say the same thing..oh you can't tell me you just have to re-direct me to this site.

Well if you're to lazy to browse and research, delete your public html and get a new hobby your game fails.

I have yet to buy a mod that worked as described and didnt need a lot of editing except for IH program.
I have found his coding to be great and help invaluble.
Dispite my first dislike for danny I have found him also to be an excelent coder
these two people should be praised not accused

FW

oops yes Dany and IH's mods did work :)
but no other one

Yea, Danny is the bomb diggity to :p

bomb diggity? oh and my mod had no problems ;)

Get outta here you extortionist! ;) hehe

Danny, those personals won't stop all of the hacks :P

There are tons of diff functions that help out, and by all means if you want to share with them go for it ;-)

However, w/o securing ALL $_GET and $_POST variables individually in the scripts themselves there are always going to be backdoors.

Not to mention RHI hacks, XSS hacks..session hijacks etc.

The list goes on and on.

To post security holes and fixes you must inform users just how the security issues are done.  Which opens the board up to a wide range of users that now know how to hack or learn from it.

What difference does it make if other people know a few hacks? If you're game is secure, then you have nothing to worry about (I've seen some of your free mods and you seem like an intelligent coder). Not to mention, there are SEVERAL bugs throughout MC Codes that have quick, simple fixes. So why not post those? The only reason not to do so, that I can think of, is because people won't be able to charge other game owners money to fix those certain loopholes.

What difference does it make if other people know a few hacks? If you're game is secure, then you have nothing to worry about (I've seen some of your free mods and you seem like an intelligent coder). Not to mention, there are SEVERAL bugs throughout MC Codes that have quick, simple fixes. So why not post those? The only reason not to do so, that I can think of, is because people won't be able to charge other game owners money to fix those certain loopholes.

Because it's like putting a band-aid on a bullet wound.

I can just write something else to go right around it, most can.  I dont like giving "false" sense of security which is what that does.  Most known fixes can be found on all the forums, have been written 100 times.  Why re post them everytime someone asks?  Again, if they are to lazy to search and install on their own......kind of a waste of time really..

Yet another security thread turned into an advertisement for Immortal's security services.

I agree with you Agon, the fact of the matter is, some people make games as a hobby, not for a buisness/job.
These people would obviously need help from malicious users, and there attempts at being "script-kiddies".

If there are known exploits, I very well think we as a community should post the fixes here to stop peoples games being exposed to them.

We don't have to post the actual exploits, just the fix.

Shrugz, The fixes are posted on tons of boards.  If they don't want to look for them I'm not going to help them.

I posted a FULL write-up on my own Forums, it's not my fault if people dont feel like looking.

Hobby or business, if you are to lazy to type in "McCodes Exploits"  In google, you're a lazy snob who needs a differant hobby.

What I'm trying to say is, this is a different forum, why drive traffic away?
If you want you can always post your thread over here hehe.

Why post everytime someone asks for it? :P

I agree, if you don't stop trying to get everyone to go to your forums in your posts I will start handing out warnings. I've removed several of your posts already because of it.

Never saw in ToS how it's against the rules to Refer another forum.  I see you spamming MWG all the time trying to sell your mods.  Er Mods you've purchased to sell.

Several times referring back to your site

I don't spam ANYTHING.
There is a specific board on mwg for paid mods and I post there.
I even make sure to not put any of the links to cronwerks and i make users mail me first.

The only exception is when users post topics saying they are looking for a specific mod, which I then post links to my mod if I have the one they are asking for.

You, on the other hand, post all the time about your forum and how you refuse to stuff here but you will have it posted on your site. If you aren't posting it here then don't post about it here, simple as that. Every other post you have seems to have something to do with your forums.

And how is what I'm doing not the same thing?

Someone is looking for a security thread

They can find it here Immortal-Darkness.com/Forums

That's the exact thing you do here

http://www.makewebgames.com/game-engines-and-modifications/mccode-dbscode-game-engine/paid-modifications/p154349-buying-custom-bounty-mod-7/?highlight=#post154349 (http://www.makewebgames.com/game-engines-and-modifications/mccode-dbscode-game-engine/paid-modifications/p154349-buying-custom-bounty-mod-7/?highlight=#post154349)

It's not like I'm trying to "steal" people from the Forums.  people stay no matter what, hell I post on 4 differant boards.  Everyone of them has something Unique to offer.  When I design or Fix a mod, it's no fun for me to Post that mod on 4 differant Boards especially being on 56k modem right now and an outdated computer.  So i'm sticking them all on 1 or 2 forums and I direct them there.  Sometimes when I am tired of coding or doing other things I'll actually take the time to Post one of my Mods here as I understand not everyone knows about other Forums.

I just recently created mine and I feel that it was needed.  All the forums currently have a random amount of Crap mods and Good mods.  Users have to search through all the posts to find those worth a damn and they come with little or no support other than your average member who has no idea how the mod was made originally.
The mods I'm posting on my forum i know the ins-and-outs, iv'e secured everything to an extent and I have no problem helping people.  Same as I do on all the forums.  So i see no reason why it's such a big issue, but again, it is your forums, if my 2 cents worth aren't getting a pennys worth i'll just stop posting here and return to the other forums where people appreciate my help.



My mods as well as a compilation of Security tips i've aquired are on My forums.

The same thing you do,  You don't want to go to 4 differant forums and say this is the mod bla blah. it's a lot of typing and repeating yourself.

You don't want to go to 4 differant forums and say this is the mod bla blah. it's a lot of typing and repeating yourself.

This is why the smart people at microsoft included a copy and paste function =)

So you're saying because people are entirely to lazy to go to differant threads

If i have a large mod..like Richards Business Mod that i fixed and updated which takes up an entire page of replies just to post the mod on MWG with a large characther limit.

I have to fix that and post it here peice by peice?  And then when I find a bug do it all over again for 4 differant forums?

Yep, thats not going to happen.

Someone just ban the annoying arguing bastard.

Someone just ban the annoying arguing bastard.

you dont ban someone for having an opinion if anything u should get a warning for Bad Language but then again that's just my opinion

Quote from: Programmer on January 24, 2010, 12:43:42 AM

Someone just ban the annoying arguing bastard.

you dont ban someone for having an opinion if anything u should get a warning for Bad Language but then again that's just my opinion

hypocrite? I believe so.

Slap a password Protect on your staff panel hash it.

what kind of hash and stored where?

lmao

Quote from: dominion on January 24, 2010, 09:04:20 AM

Quote from: Programmer on January 24, 2010, 12:43:42 AM

Someone just ban the annoying arguing bastard.

you dont ban someone for having an opinion if anything u should get a warning for Bad Language but then again that's just my opinion

hypocrite? I believe so.

whats wrong with being a hypocrite? (rhetorical question)

Shall we get back on topic now, Thanks....

I just wanted to throw my two cents in but I believe most of the problem is that everyone is busy trying to get their own game up and running and make money anywhere they can. If someone want to charge for there services fine, however I think its funny some say it will give false hope of security but if you ask to pay them same people to secure your site they will do so with that same false hope. The difference is that they are being paid and they no longer care about your hopes. LOL! Well, I am paying someone thats teaching me all of this coding and languages and he is my personal tutor and I promise when I learn it enough I will be one of those who will post anything helpful anywhere I can because so many have helped me and so many need help like I did. Its posed to be a community and we need to help each other without. And of course people have to take their own initiative also to learn what they can but alot of this is very confusing. Thanks to all that have help me!

yeah so i was thinking...... it sounds like a good idea <---original thread topic--- and as for some comments on the first page about helping your competitors, well everyone here IS a competitor and we are all already collaboriting for free and for small cash amounts so if you have any more moot points to make please make use of your shower stall alone and rant and rave all by yourself with the door closed and radio on maximum volume because they dont help anybody here to any degree whatsoever and they prevent anything GOOD like this particular topic from ever getting off the ground.

I say lets get this done +1

I am no pro. Not one bit. Just posting what I know how to fix, and the ways I know how. If you can improve on it, PLEASE, be my guest.

TIPS AND TRICKS FOR NEW ADMINS

1. Don't tell anyone you are new. This instantly makes you a target.
2. Keep your site a secret from the community if you are new. Ironically most of the vandals and hackers lurk around for new folks.

PASSWORDS

1. Use a good password for your cpanel, ftp, ssh, mysql database, and admin panel. LONG password. Uppercase and lowercase letters, numbers, and symbols. Maybe use a password generator. The longer the password, the less success of a brute force attack.

http://www.thebitmill.com/tools/password.html#passwordbuilder (http://www.thebitmill.com/tools/password.html#passwordbuilder)

DAILY BACKUP

1. In my opinion, just an opinion. THE MOST IMPORTANT SECURITY.
 If someone hacks your game, so what? You got a copy from the day before. Simple enough. But I also can't stress this one enough. This is a great way to have at least SOME security, especially if you are new and learning how to code. Also comes in handy if you make a tragic mistake or error. Cpanel should have a backup setting in it (not sure, i don't use Cpanel)
Or if you use SSH to login to your bash shell, find a simple bash shell script to make a daily back up for you. Tons of them out there. Google is your friend!
Learn how to use the Export command on your phpmyadmin panel. Exporting your database to a file is simple. Just a click of a button and save the file.
After all, not sure about your games, but my entire game with the sql database is about 10mb of files. You can worry about doing a more advanced backup system in the future, when you learn a little bit more. Some files don't need a daily backup, others do.

SLOW DOWN THE BOTS

1. Use a captcha on at least your registration.php. I can't find the link to the program I use. But there are tons of free captchas out there. Captchas slow down bots. This stops bots from creating 100,000 players on you site in an afternoon.

2. Some people use the captcha on the gym.php and criminal.php to stop auto clicker scripts. The handicapped use auto clicker scripts, and so do game cheaters, and it is readily available to have a script record your clicks, and then go on a timer. There are also more simpler validate if you are human scripts. You will have to shop around. No one said securing your game would be easy!

EMAIL VALIDATOR

1. Validate the players email address. This slows down bots, and annoys hackers. There is a good one for sale on the cronwerks forums, but maybe the price should be dropped or it should be made free. Just a suggestion, after all it is a free market. I purchased the one from here, I like it, I use it.

USE LOGS

1. Ok, there are way to many log scripts out there for mccodes. You will also have to search on your own for these. Search "log" and "logs" here or at makewebgames.com. That should point you in the right direction. Logging user activity helps you spot the vandals, hackers, and cheaters. Choose wisely though, some logs are pointless and bog down your server.

FIND THE FREE FIXES.

Ones that I know of:

1. Secured Crystal Market http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/%28mccode%29-secured-crystal-market/ (http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/%28mccode%29-secured-crystal-market/)

2. Secured Forums http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/%28mccode%29-secured-advanced-forums/ (http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/%28mccode%29-secured-advanced-forums/)

SECURE YOUR ADMIN PANEL

1. Move your admin files to a folder. An easy way to secure them is using .htaccess
You can password protect your admin folder using .htaccess.
I'm sure there is more than one way to password protect them, but this is the way I know. Here is an instructional guide to use .htaccess to password protect a folder.

http://www.javascriptkit.com/howto/htaccess3.shtml (http://www.javascriptkit.com/howto/htaccess3.shtml)

2. Rename your admin files! Go through each and everyone and rename them, and adjust the code accordingly to point in the right direction. The hackers out there know the names of the admin files, slow them down by renaming them.

3. Secure your admin files so only YOU can view them.

if(($ir['userid'] != 1) && ($ir['userid'] != 2) { echo 'You are not allowed in here!'; $h->endpage(); exit; }
This snippet of code says you have to be user #1 or #2 to access the admin file. Post it at the top of your admin files, or learn how to do it in globals.

4. Auto log them out if they make themselves staff level:

 Find in header.php

global $db,$c,$userid, $set;
$ip = $_SERVER['REMOTE_ADDR'];
underneath paste:

//check if really an admin
if($ir['user_level'] > 1 && !in_array($userid, array('1','2','16')))
{ die("DEAD");}
//end check
and since we're on header.php, right under that, get a ban list going on. You don't like someone BAN em. Most of these script kiddies have no idea how to use a proxy.

$ban = array('00.000.000.000','00.000.00.000');
$count = count($ban);
for ($i=0; $i<$count; $i++)
if($ip == $ban[$i]) { die("You are banned from this server. $ip");}
Ok, there is more stuff. I'm out of time for today.

I hope this helps some of the new folks out there.

You guys who know more than me should be posting some fixes please.

To be continued....

@agon some good stuff there but the 1st few pages of this will not help anyone you should post that in a new topic  ???