I downloaded the mccodes lite software about 3 weeks ago to jump start the development of a php game that i had in mind. I actually spent about a week building and configuring a webserver (RHL with SELlinux and Apache with mod_security) and it only took a few hours to get the basic game with cosmetic changes only running. A group of friends have been helping me test it since that time on a private server. I have spent the past two weeks recoding most of the modules and adding a few new ones.
The few things that stood out tn my mind are:
1. widespread non-validation of input
2. widespread use of GET http requests
3. widespread reference to undefined session variables
This pattern results in atrocious security (as I can see from the other posts here.) It also floods the webserver error log when people play the game lol.
Problem 1 is easily addressed by adding various degrees of input sanitization/validation. At a minimum just using mysql_real_escape_string() sanitizes input that is largely passed directly into database queries. This is also addressable at the webserver level if you configure and enable the apache mod_security module. When the large scale php scans/attacks started this past weekend it was this module that blocked them before they even hit the php application layer.
Problem 2 is an issue because it makes cache-based attacks possible and also exposes http request parameters on the url making it possible for users to manipulate them directly. Remediation is easy and basically requires you to replace the use of $_GET with $_POST and change hyperlink references from type 'get' to 'post'. I'm about 50% through making this change to the code.
Problem 3 caused error_log to grow by about 500MB per day with only a handful of users. The fix is trivial and only requires changing:
if( $_POST[ 'variable' ] ...)
to:
if( isset($_POST['variable']) && $_POST['variable'] ... )
wherever server variables are used. This is generally complete now and I'm only responding to isolated problems when rarely used codepaths are hit.
A few other things, the header lines in almost every module were common so this was an easy target to extract and put into a separate common php module. Also, the date function is not initialized and uses the default server settings. While a minor thing this also flooded error_log so it was an easy thing to fix in the new, common header.
At the present time I am writing a new top-level, iframe-based interface along with finishing the cleanup of the mccodes lite basecode and am looking forward to a public launch in a few weeks. Although I have cursed plenty at the quality and style of the moccodes-lite basecode it is undeniable that using it has tremendously accelerated the development of my game.
edit: I have removed the phpmyadmin module from the server. I noticed that it was the primetarget of the php scans and attacks this past weekend and to be honest while it worked well I did the majority of database work using the mysql utility on the server. I appreciate that this is not an option for everyone but wanted to share that decision.
Note after reviewing the web logs it was the SELinux policy and apache mod_security that prevented the exploitation of some inherent php (phpmyadmin and mccodes-lite) vulnerabilities so I cannot stress enough how critical it is in my opinion to set these up before you install your game.
