Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JoshuaDams]

More so---Which files are vulnerable and to what.

Stock Donator System--Vulnerable to RFI hack--Donators can use an RFInclusion to purchase the max donator pack for a penny.

Player Report System----Using meta or iframe hack, and staff_special.php coding, Hackers/exploiters can use the auto refresh to make themselves an admin when the hack is viewed by an admin.

Preferances, Display Picture--Same hack can be used here, Or an .htaccess rewrite can be modified to bypass certain security measures, again, accomplishing the same as the above.

cmarket.php----crystals hack that if the ID variable is not secured will max out a users crystals.

forums hack--if the ID variable is not secured will show user login name and md5 password, easily decrypted through a rainbow table.



Session Hi-Jack

Using a few differant Session Stealers, via xss or a program, users are able to steal your sessions and enter them into the proggy logging in to your account w/o needing a password.



IP Sploof

Users use a common old fire fox add on to add a query through the unsecured IP variable changing any field in the users table to whatever they so choose.


there is a gaping hole in the items files but i was "promised" into not saying "which" item file.  the hack is a csrf hack tho, if it helps at all.


userlist hack.

There are a few differant hacks that can be used on your userlist to DROP your users table, XSS inject and do all sorts of other nasty things.  Secure all variables in your userlist, including st, ord, by etc.


viewuser
some aftermarket viewusers have turned out to be vulnerable to xss injections as well.


If you have aftermarket mods, make sure they were made by someone who knows what they are doing or you have had them tested, or you have secured them yourself.  Several times i've seen and tested aftermarket mods and within literally 30 seconds been able to make myself staff.


Might also suggest investing into a staf login script there are a few freebies floating around.


For newer users who havent "started" their games yet, convert to a sha512 password system with salt for a bit of extra security on your passwords.


register.php  REF is unsecure  there are 2 seperate instances of ref, one is lowercase and one is upper case, while the lowercase one is secure the UPPERcase one is not.
$_GET['ref']=abs(@intval($_GET['REF']));



I've just spent several hours writing out fixes for all these, so perhaps later i'll write them here as well.  Just a heads up.

[strats]

I have started playing about with codes again.
Maybe when I finish my project you can secure it for me ;P

[CrimGame.com]

I really do like how you know nothing of what your talking about, Immortal lets see here =>

Player Report System----Using meta or iframe

really now i'd of said it was a XSS issue yet you only say iframe and meta? FAIL

IP Sploof
Users use a common old fire fox add on to add a query through the unsecured IP variable changing any field in the users table to whatever they so choose.

Actually it's just basically editing your headers X-Forward-For is the little bugger and basically they trick the CRAP coding of mc like so IP', user_level='2
So you FAIL with misinformation again...

Session Hi-Jack

Using a few differant Session Stealers, via xss or a program, users are able to steal your sessions and enter them into the proggy logging in to your account w/o needing a password.

Actually there is no need for a program i can supply the exact code for stealing and changing your phpsessid if you need help Immortal. Your protection method works (like the one on phpsec) and is flawed (again reference to modifying headers). FAIL with not covered all angles.

forums hack--if the ID variable is not secured will show user login name and md5 password, easily decrypted through a rainbow table.

Yeah ok so do you mislead people for a reason or just wanting more customers?
Forums all the GET and POST need the be looked over and secured lets see off by heart i'd say (subject, signature, avatar, viewtopic, viewpost and all the basic GET variables with the added POST just to check). if you had ever secured this you'd know.
FAIL again misinformation.

there is a gaping hole in the items files but i was "promised" into not saying "which" item file.  the hack is a csrf hack tho, if it helps at all.

Yeah you promised me but i released the Patch on MWG so basically guys it's the itembuy file, See MWG post for fix (MWG itembuy patch (note code needs updating due to age))

viewuser
some aftermarket viewusers have turned out to be vulnerable to xss injections as well.

Mind listing them or basically just going to say anyone who made a viewuser after MC's generic version is exploitable?

If you have aftermarket mods, make sure they were made by someone who knows what they are doing or you have had them tested, or you have secured them yourself.  Several times i've seen and tested aftermarket mods and within literally 30 seconds been able to make myself staff.

If you set it up correctly a member can be staff and not even have a single advantage over anyone else, in what way would you make yourself staff if SQL then maybe you could try dropping users?

Might also suggest investing into a staf login script there are a few freebies floating around.

Free... Don't you sell one with a little header code...?

register.php  REF is unsecure  there are 2 seperate instances of ref, one is lowercase and one is upper case, while the lowercase one is secure the UPPERcase one is not.
$_GET['ref']=abs(@intval($_GET['REF']));

wow he got something almost right, i do it abit different myself.

[Cronus]

Crim, if you are going to be spiteful and childish, DON'T POST. We don't need you to pick apart everything everyone says and post "fail". If something is wrong, help fix it, otherwise you are just spamming and wasting everyones time.

[CrimGame.com]

Preston, Delete me if you think leading people into a false sense of security is the way to go. I am basically just notifying the public that the original poster of this thread is incorrect and misleading the viewers.

I have supplied a link to one fix which is more than he did so i would like you to rather get off my back or do something about it.

[JoshuaDams]

You "fail" at reading.

See the topic? 

It says a "list" of all "exploits" I know.

Nothing about individual fixes.

Every exploit I posted/talked about is a vulnerable spot on someones game.

Using one of the many options above I can enter someones website and mess with it.

This is a warning to folks.

You wish to come through and act childish do it elsewhere, no one pays attention to you

[CrimGame.com]

I've just spent several hours writing out fixes for all these, so perhaps later i'll write them here as well.  Just a heads up.

ok i know this isn't you saying they are fixes or anything but i mean you did mislead people right?

Not denying you was wrong on many subjects?
All you know is MC codes give him a clap, Your new friend Preston will surely point out im correct and weird he didn't reply personally (reminds me of spudinski all mouth no action).

You called me a brown nose on MWG, how did you get unbanned?


But this is off topic so would the OWNER of the forum and his girlfriend please get back on topic, I supplied information on the topic yet i get preased at by a has-been and a wannabe php coder (who only knows mcc).

Seriously im a member of CronWerks and since i've finally started posting content i've had nothing but abuse your website is a crock shove it up your ass (ban me see if i give a f**k).

[mdshare]

Doesn't happen often I post on a forum not owned.

1. Immortalthug , has never been banned from CE/MWG
2. Zero-Affect , has never been banned from CE/MWG

However I have to say that Immortalthug tends to bend the rules regarding reselling, copyright, crediting etc ....

Next to that the OP is far from a prof and is still learning, I appoligize immortalthug but claiming you are a prof while you are not ... personally I wouldn't even dare to ask money like you do for securing sites

anyway ... lets step back some months ago as it's security related

http://www.makewebgames.com/free-plugins/30508-auto-admin-hack/#post150963

and

http://www.makewebgames.com/free-plugins/30563-simple-line-of-code-to-stop-session-hijacking-and-auto-admin/

No offence but I still believe that you don't understand what I said there ... nor did you accept the advice given.

[Cronus]

Crimgame, he led no one into "a false sense of security". He listed the bugs without fixes. Even said that there could be more, these are just the ones he could think of off of the top of his head. This post was helpful for those looking to secure their own games and get a reference list of what to check for.

Your post however, let immortalthug know he "failed" 3 times. If you thought the list was wrong, you could have simply stated what you thought was wrong, and not bashed him.

Mdshare, I don't know that being banned on ce/mwg has anything to do with this thread? Only IT has been banned here, once, and he knows it was just at the time. As for zero-affect, I never threatened banishment in any way, shape, or form. I simply said if you're going to be spiteful not to post. This forum is for development, not bickering about who is a better coder, we are all supposed to be helping each other become better.

Also, IT did not claim he was a professional anywhere in this post, at all. He didn't offer his services to anyone for money either, so I'm not really sure why you brought it up?

Zero: I've always been strict when it comes to users bashing other users, no matter who it is. I've even done it to my own moderators(Spud). This forum is for developing MCCode/MCCodes games and learning how to develop them better. If you can't stop bashing, please just don't post, thanks.

[CrimGame.com]

Spud bashed me in a topic.. i replied he never that to me says he knows he was wrong and is good.

off the top of my head the obvious ones are cmarket, forum and preferences the fixes are obvious ctype_digit and getimagesize (for display pic) If you have more stuff in preferences that the generic then ill be glad to help just mail me.

If i remember correctly immortal just referred to ID being the only bad super globals in both cmarket and forum so if i secure all ID super globals in forums.php will it be safe?

If he didn't want to have a little criticism why called it "A LIST of All the Exploits I am aware of" he also says it's a list of all the exploits he's aware of which really to me would be just a list of the files no description false or not.

[JoshuaDams]

Did I ever say that's "all the vulenrabilities"

I said the "exploits i'm aware of"

All these "hacks" listed are the ones that I can do "er exploits"

That's all this was, informing users into an intro of the problems with McCodes.

I never said how to fix them and did not offer my services in this topic, i dont think?

Brush the chip off your shoulder, move on.

How is this providing a "false sense of security"

I look at as making people aware.

[CrimGame.com]

I never said how to fix them and did not offer my services in this topic, i dont think?

really...

I've just spent several hours writing out fixes for all these, so perhaps later i'll write them here as well.  Just a heads up.

So... when you describe something you don't mean it's actually what you describe.. ok just checking

I posted a more accurate description im sorry if that offends anyone but you can't dispute my descriptions where anywhere near as bad as the originals. No offence was intended towards anyone i was simply just showing anyone who posted next that they would be lured into a false sense of security if they followed the original descriptions.

Really these do not help im sure if the `user` of mc codes was so bothered they would rather consult a larger base with more description than this but that's just my opinion.

[JoshuaDams]

Right, I posted "fixes" for these on my Forums.

I did not post an entire secure McCodes engine nor did i say, oh by the way, if you fix these your game will be secure!

I made people aware of some of the flaws that comes with the engine.

You had a chip on your shoulder and rather than just acknowledge that these are some of the vulnerabilities with McCodes you try and ridicule them.

Thing is, Everything above ^  is an exploit.

That's all I said, that's all I meant to say.

How you interpret that as soooo much more, were you high?  i hear PCP and Acid make you hallucinate....

[JoshuaDams]

You also said xss injections are on Player Report.

May be true, but my fix would stop that just as it would stop the meta/iframe.

I know how to "do" the iframe / meta hack, that's why I posted it.

However the fix i posted will stop all 3.


While there is a better way to do it than

$_POST['text']=stripslashes(htmlentities($_POST['text']));


you could "not" be lazy and go  $_POST['text']=mysql_real_escape_string($_POST['text']);

then on your player report bit where you "view" the actual report

stripslashes(htmlentities(text stuff));

Either way will work.  One is a bit more "proper" than the other.

If you are saying you can enter xss passes strip and htmlentities i'd love to see it.

[CrimGame.com]

or use preg_match disallow anything but alpha numeric and some select symbols, i use the same method on my handle change function on CG.

IE:

Code: [Select]

preg_match("/^[a-z0-9_]+([\\s]{1}[a-z0-9_]|[a-z0-9_])+$/i", $_POST['variable'])which allows space (1 per time ie: hello lol ), a-z (upper or lower case), 0-9 and underscore.
Hope this helps...