Jump to content
MakeWebGames

Important Security Issue For All McCode Owners !

MaKaVeLLi

By MaKaVeLLi
in General Discussion

 Share

Recommended Posts

MaKaVeLLi Newbie

MaKaVeLLi

Posted
Posted

I am writing this message to inform all game owners of a huge issue with any website using v1 or v2 code. Note this is not any type of SQL injection or any other similar issue. This breach can easily compromise a game without anyone knowing that it is being used. I am fairly good with coding and I assure you that it has nothing to do with the usual php security. I have been to many sites already to notify many of you, or have already helped fix it. I cannot stress enough how serious this issue is for any owner taking their game serious.

For security purposes, I will not post the exact issue here because there are still thousands of players that have no idea about it. Posting here would only allow them to exploit your games and/or just make the problem worse. Please be advised, I will NOT disclose what is being done but I will gladly test your website by simply signing up for your game. I don't need staff or website access, or any of that crap. You can message me here but I can be reached much easier if you contact me on the website listed on my profile. I am player id [4] on the site. When contacting me, please refer me to this message I am posting. I hope to save many games from destruction because I know how much pride I take in owning and coding my sites.

MdShare - If you read this, please make this issue a hot topic. I am very serious and hope to help the gaming community with this problem.

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Faz` Newbie

Faz`

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Damn, this is a real big statement. Now if what your saying is true, then you are doing the right thing by telling everyone. My only doubt is, at least someone would have picked up on it now, CE has a few very experienced coders and I'm sure they would have picked up on it. I am not too sure about this, what does everyone else think?

MaKaVeLLi Newbie

MaKaVeLLi

Posted
  • Author
Posted

Re: Important Security Issue For All McCode Owners !

 

Damn, this is a real big statement. Now if what your saying is true, then you are doing the right thing by telling everyone. My only doubt is, at least someone would have picked up on it now, CE has a few very experienced coders and I'm sure they would have picked up on it. I am not too sure about this, what does everyone else think?

Maybe they have but let me just say that I have even visited many of the same games you see in the top ten on voting sites and even those were not able to stop it. Take it like a grain of salt if you must, I am not trying to b.s. anyone, just trying to help.

Faz` Newbie

Faz`

Posted
Posted

Re: Important Security Issue For All McCode Owners !

The top 10 games in voting sites would be real good games with a lot of players, the owner would probably be a very decent coder. Why is it that only you know about this? And many people have not heard of this?

ShizzleNizzle Newbie

ShizzleNizzle

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Hi,

is this any type of xss injection?

I've seen/fixed a few file's that were vulnerable to this and could be used to send cash/mail's all sort's without anyone knowing

Miniman Newbie

Miniman

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Well, I've sent a mail to MaKaVeLLi and once he mails back, I will be able to help with the problem once I've sorted it myself.

But it sounds pretty serious so I suggest you message MaKaVeLLi if you take pride in your game and actually want to continue running it. Or if you've installed Mccodes for a quick bit of cash, don't bother :wink:

Guest Anonymous

Guest Anonymous

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Well, at least tell people what the actual file that's vulnerable, if it's only mccodes.

MaKaVeLLi Newbie

MaKaVeLLi

Posted
  • Author
Posted

Re: Important Security Issue For All McCode Owners !

 

Well, I've sent a mail to MaKaVeLLi and once he mails back, I will be able to help with the problem once I've sorted it myself.

But it sounds pretty serious so I suggest you message MaKaVeLLi if you take pride in your game and actually want to continue running it. Or if you've installed Mccodes for a quick bit of cash, don't bother :wink:

Listen here, please don't insult me with your quick bit of cash quote. I have been running sites for over 3 years now. Anyways, if you are still using this $_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']: $_SERVER['REMOTE_ADDR']; in the suggested files and other files, you are exploitable. I will keep it simple with this below:

Your files to check:

header.php

login.php

register.php

You can safely replace the code above with only $_SERVER['REMOTE_ADDR']; It will secure the files. You can also escape the variable you are using to define the ip as well.

Miniman Newbie

Miniman

Posted
Posted

Re: Important Security Issue For All McCode Owners !

See, wasn't to hard.

Seems someone is getting a bit touchy, my post wasn't directed at you.

Atleast I don't think, I didn't say "(like MaKaVeLLi, hehe)"

I was infact saying it for the people that install mccodes, add a will potion item and sell it.

Geez

Guest Anonymous

Guest Anonymous

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Well, I've recoded all those files, so i very much doubt I'd have any problems with it, nor use that snippet of code to fetch the IP.

Faz` Newbie

Faz`

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Install of people giving you trouble and you having about 100 pop-ups with people adding you to msn why don't you just post the damn fix here. You could have just done that in the initial post.

Faz` Newbie

Faz`

Posted
Posted

Re: Important Security Issue For All McCode Owners !

So you sign up on his game and make yourself level 10? Good for you, why don't you just post the bloody fix to this.

Lithium Apprentice

Lithium

Posted
Posted

Re: Important Security Issue For All McCode Owners !

 

No, it is not fake. I am just searching around to get a fix. =D

Searching for a fix when Makaveli already told what to do?

@Makaveli: you only found those out these days? without wanting to be mean... but those are old news!

Faz` Newbie

Faz`

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Oh yeah, sorry about that, you posted the fix ages ago, I am a bit of a ..... =D

Sorry about that and thanks hehe.

Opium Newbie

Opium

Posted
Posted

Re: Important Security Issue For All McCode Owners !

So I gather, you can open peoples ports by using PHP and execute scripts on your side to execute on your game? and cookie/session hi-jacking.

MaKaVeLLi Newbie

MaKaVeLLi

Posted
  • Author
Posted

Re: Important Security Issue For All McCode Owners !

 

No, it is not fake. I am just searching around to get a fix. =D

Searching for a fix when Makaveli already told what to do?

@Makaveli: you only found those out these days? without wanting to be mean... but those are old news!

Yes my point exactly, they are very old news. However, I was surprised to see how many don't know about. Again, so old news that nobody ever posted a fix for it. I mean cmon, some of the noobs trying to get into the gaming community are being raped because of this kinda stuff. I am not trying to be a super hero, just trying to help.

MaKaVeLLi Newbie

MaKaVeLLi

Posted
  • Author
Posted

Re: Important Security Issue For All McCode Owners !

 

So I gather, you can open peoples ports by using PHP and execute scripts on your side to execute on your game? and cookie/session hi-jacking.

Absolutely not bro. Its nothing like that.

Opium Newbie

Opium

Posted
Posted

Re: Important Security Issue For All McCode Owners !

Fair enough..

 

Why not use this:

function validip($IP)
{
  if (!empty($IP) && ip2long($IP)!=-1)
  {
     $ReservedIps = array (
        array('0.0.0.0','2.255.255.255'),
        array('10.0.0.0','10.255.255.255'),
        array('127.0.0.0','127.255.255.255'),
        array('169.254.0.0','169.254.255.255'),
        array('172.16.0.0','172.31.255.255'),
        array('192.0.2.0','192.0.2.255'),
        array('192.168.0.0','192.168.255.255'),
        array('255.255.255.0','255.255.255.255')
       );

     foreach ($ReservedIps as $R)
     {
        $Min = ip2long($R[0]);
        $Max = ip2long($R[1]);
        if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false;
     }
     return true;
  }
  else
  {
       return false;
   }
}

function getip()
{
  if (validip(isset($_SERVER['HTTP_CLIENT_IP'])))
  {
     return $_SERVER['HTTP_CLIENT_IP'];
   }
  foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP)
  {
     if (validip(trim($IP)))
     {
           return $IP;
       }
   }
  if (validip(isset($_SERVER['HTTP_X_FORWARDED'])))
  {
     return $_SERVER['HTTP_X_FORWARDED'];
   }
  else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR'])))
  {
     return $_SERVER['HTTP_FORWARDED_FOR'];
   }
  else if (validip(isset($_SERVER['HTTP_FORWARDED'])))
  {
     return $_SERVER['HTTP_FORWARDED'];
   }
  else if (validip(isset($_SERVER['HTTP_X_FORWARDED'])))
  {
     return $_SERVER['HTTP_X_FORWARDED'];
   }
  else
  {
     return $_SERVER['REMOTE_ADDR'];
  }
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...