Jump to content
MakeWebGames

Important Security Issue For All McCode Owners !


MaKaVeLLi
 Share

Recommended Posts

I am writing this message to inform all game owners of a huge issue with any website using v1 or v2 code. Note this is not any type of SQL injection or any other similar issue. This breach can easily compromise a game without anyone knowing that it is being used. I am fairly good with coding and I assure you that it has nothing to do with the usual php security. I have been to many sites already to notify many of you, or have already helped fix it. I cannot stress enough how serious this issue is for any owner taking their game serious.

For security purposes, I will not post the exact issue here because there are still thousands of players that have no idea about it. Posting here would only allow them to exploit your games and/or just make the problem worse. Please be advised, I will NOT disclose what is being done but I will gladly test your website by simply signing up for your game. I don't need staff or website access, or any of that crap. You can message me here but I can be reached much easier if you contact me on the website listed on my profile. I am player id [4] on the site. When contacting me, please refer me to this message I am posting. I hope to save many games from destruction because I know how much pride I take in owning and coding my sites.

MdShare - If you read this, please make this issue a hot topic. I am very serious and hope to help the gaming community with this problem.

Link to comment
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Re: Important Security Issue For All McCode Owners !

Damn, this is a real big statement. Now if what your saying is true, then you are doing the right thing by telling everyone. My only doubt is, at least someone would have picked up on it now, CE has a few very experienced coders and I'm sure they would have picked up on it. I am not too sure about this, what does everyone else think?

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

 

Damn, this is a real big statement. Now if what your saying is true, then you are doing the right thing by telling everyone. My only doubt is, at least someone would have picked up on it now, CE has a few very experienced coders and I'm sure they would have picked up on it. I am not too sure about this, what does everyone else think?

Maybe they have but let me just say that I have even visited many of the same games you see in the top ten on voting sites and even those were not able to stop it. Take it like a grain of salt if you must, I am not trying to b.s. anyone, just trying to help.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

The top 10 games in voting sites would be real good games with a lot of players, the owner would probably be a very decent coder. Why is it that only you know about this? And many people have not heard of this?

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

Well, I've sent a mail to MaKaVeLLi and once he mails back, I will be able to help with the problem once I've sorted it myself.

But it sounds pretty serious so I suggest you message MaKaVeLLi if you take pride in your game and actually want to continue running it. Or if you've installed Mccodes for a quick bit of cash, don't bother :wink:

Link to comment
Share on other sites

Guest Anonymous

Re: Important Security Issue For All McCode Owners !

Well, at least tell people what the actual file that's vulnerable, if it's only mccodes.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

 

Well, I've sent a mail to MaKaVeLLi and once he mails back, I will be able to help with the problem once I've sorted it myself.

But it sounds pretty serious so I suggest you message MaKaVeLLi if you take pride in your game and actually want to continue running it. Or if you've installed Mccodes for a quick bit of cash, don't bother :wink:

Listen here, please don't insult me with your quick bit of cash quote. I have been running sites for over 3 years now. Anyways, if you are still using this $_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR']: $_SERVER['REMOTE_ADDR']; in the suggested files and other files, you are exploitable. I will keep it simple with this below:

Your files to check:

header.php

login.php

register.php

You can safely replace the code above with only $_SERVER['REMOTE_ADDR']; It will secure the files. You can also escape the variable you are using to define the ip as well.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

See, wasn't to hard.

Seems someone is getting a bit touchy, my post wasn't directed at you.

Atleast I don't think, I didn't say "(like MaKaVeLLi, hehe)"

I was infact saying it for the people that install mccodes, add a will potion item and sell it.

Geez

Link to comment
Share on other sites

Guest Anonymous

Re: Important Security Issue For All McCode Owners !

Well, I've recoded all those files, so i very much doubt I'd have any problems with it, nor use that snippet of code to fetch the IP.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

Install of people giving you trouble and you having about 100 pop-ups with people adding you to msn why don't you just post the damn fix here. You could have just done that in the initial post.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

 

No, it is not fake. I am just searching around to get a fix. =D

Searching for a fix when Makaveli already told what to do?

@Makaveli: you only found those out these days? without wanting to be mean... but those are old news!

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

 

No, it is not fake. I am just searching around to get a fix. =D

Searching for a fix when Makaveli already told what to do?

@Makaveli: you only found those out these days? without wanting to be mean... but those are old news!

Yes my point exactly, they are very old news. However, I was surprised to see how many don't know about. Again, so old news that nobody ever posted a fix for it. I mean cmon, some of the noobs trying to get into the gaming community are being raped because of this kinda stuff. I am not trying to be a super hero, just trying to help.

Link to comment
Share on other sites

Re: Important Security Issue For All McCode Owners !

Fair enough..

 

Why not use this:

function validip($IP)
{
  if (!empty($IP) && ip2long($IP)!=-1)
  {
     $ReservedIps = array (
        array('0.0.0.0','2.255.255.255'),
        array('10.0.0.0','10.255.255.255'),
        array('127.0.0.0','127.255.255.255'),
        array('169.254.0.0','169.254.255.255'),
        array('172.16.0.0','172.31.255.255'),
        array('192.0.2.0','192.0.2.255'),
        array('192.168.0.0','192.168.255.255'),
        array('255.255.255.0','255.255.255.255')
       );

     foreach ($ReservedIps as $R)
     {
        $Min = ip2long($R[0]);
        $Max = ip2long($R[1]);
        if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false;
     }
     return true;
  }
  else
  {
       return false;
   }
}

function getip()
{
  if (validip(isset($_SERVER['HTTP_CLIENT_IP'])))
  {
     return $_SERVER['HTTP_CLIENT_IP'];
   }
  foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP)
  {
     if (validip(trim($IP)))
     {
           return $IP;
       }
   }
  if (validip(isset($_SERVER['HTTP_X_FORWARDED'])))
  {
     return $_SERVER['HTTP_X_FORWARDED'];
   }
  else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR'])))
  {
     return $_SERVER['HTTP_FORWARDED_FOR'];
   }
  else if (validip(isset($_SERVER['HTTP_FORWARDED'])))
  {
     return $_SERVER['HTTP_FORWARDED'];
   }
  else if (validip(isset($_SERVER['HTTP_X_FORWARDED'])))
  {
     return $_SERVER['HTTP_X_FORWARDED'];
   }
  else
  {
     return $_SERVER['REMOTE_ADDR'];
  }
}
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...