MaKaVeLLi Posted March 31, 2009 Author Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Using anything with the "forwarded for" thus far has allowed the game to be compromised when I have tested. I am not saying that code will not work, and sorry if I started a stir but I have just tried 3 out of 3 games from owners that messaged me, and all 3 were compromised easily. Quote
Lithium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } Hmmm someone who actually reads posts :) @Makaveli: as for the surprise you have... i wouldn't be that surprised when 95% of the game owners/coders are kids that just learned a new language and they think they know it all just because they were able to install a game and make a few changes to it! Quote
Opium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Hmmm someone who actually reads posts :) What do you mean? I never said I created it, nor did MD but i do indeed use it and it seems like a better option than what MC Codes have. Quote
Lithium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! What do you mean? I never said I created it, nor did MD but i do indeed use it and it seems like a better option than what MC Codes have. And did i say you created? or mdshare? i'll place it again to see if you can read better this time someone who actually READS posts Quote
MaKaVeLLi Posted March 31, 2009 Author Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! True many could be kids. Either way, I just figured it should be addressed. Let them do their thing be it experienced, novice, beginner, whatever in php. I hate to see so many #$%%$holes running around doing this crap. It just ain't cool. Quote
Opium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Ahh sorry my bad, long day, got wrong end of stick :lol: Sorry. Quote
Lithium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Makaveli: i'm no expert and quite far from that, but it does amuses me and i mean a LOT, seeing those situations. I have fallen and i believe any programmer has too, a few times on exploitable code by ourselves, it happens. the way you deal with it... it is what matters, i don't care if someone found an exploit on my game, i care yes, is to learn how it was done and what i need to do to avoid it. People should learn with their own mistakes! Quote
MaKaVeLLi Posted March 31, 2009 Author Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Yeah true, I have fallen victim too. I guess that is still why I feel bad. With this type of thing though, I feel that something like this is much different than your abs(int), cleaning your html input etc. This remains in many owners game files who have been around awhile and they had no clue that such a thing was open to ruin a game. You would be very surprised at some of the new games out with thousands , i means thousands of players that this worked on. If one of the owners is reading this, they know who they are I am helped them quickly and quietly. Quote
Dazza Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Mak: Given you a +1 because I was unaware of this, thanks for sharing. I originally thought your motif was more sinister so good on you for this info :-) Quote
seanybob Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! /slap dabomstew Quote
MaKaVeLLi Posted March 31, 2009 Author Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. :-) Quote
Sp1d3r Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. Yes it did, thanks for the slap in the face.... I didn't mean anything bad just didn't understand why this has now just been brought up with all the smarties we have on this site.. Thanks again. Sp1d3r www.chaosrelic.com Quote
MaKaVeLLi Posted March 31, 2009 Author Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. Yes it did, thanks for the slap in the face.... I didn't mean anything bad just didn't understand why this has now just been brought up with all the smarties we have on this site.. Thanks again. Sp1d3r www.chaosrelic.com You wanna know why it hasn't been brought up? Not directing this towards ALL, but if the shoe fits wear it....It hasn't been brought up because from little kids to grown adults trying to make a legit and fun game, some on these sites don't want or like to see anyone getting a peace of the TEXT GAME PIE! Its money out of their pockets. They feel threatened and don't be surprised if half of them know what it is that I am doing to prove this exploit and have been using themselves. Many have good hearts, but even more are greedy as hell. I will be hated by those that knew about this for bringing this to light. Oh well, let them hate me, I don't need anymore friends, I have enough. :wink: Quote
wolfe Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Interesting. Quote
Lithium Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Oh well, let them hate me, I don't need anymore friends, I have enough. :wink: and changing a bit of a quote from a classic movie... "Who needs friends when you got enemies?" (Original quote: "who needs reasons when you got heroin?" - Trainspotting) Quote
Cronus Posted March 31, 2009 Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! I believe this is the bug we talked about over the phone, correct? Quote
MaKaVeLLi Posted April 1, 2009 Author Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Yes bro. Quote
k91982 Posted April 1, 2009 Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! MaKaVeLLi, can you add me to msn [email protected] Quote
MaKaVeLLi Posted April 1, 2009 Author Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } I tested the exploit with what you have added above. It didn't work so I would assume it would be safe for many to use. Just figured I would add my comment. :-) Quote
Opium Posted April 1, 2009 Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Ahh, thank you for saying. Quote
SteveDave Posted April 2, 2009 Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } I tested the exploit with what you have added above. It didn't work so I would assume it would be safe for many to use. Just figured I would add my comment. :-) So that is the fix for this problem? And if so, where should it be added, globals maybe? Quote
AlabamaHit Posted April 2, 2009 Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Those are functions...It will take more than just having them on a file to work. You have to call them up. Quote
MaKaVeLLi Posted April 2, 2009 Author Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Yes you can add the functions into a global file and call them up as was stated above. Quote
AlabamaHit Posted April 2, 2009 Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Simplest fix to this people is Open and look at all files...ones i can think of off hand are.. authenicate.php, header.php, global_func.php, login.php, register.php just find this code. $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; chagne it to $IP = $_SERVER['REMOTE_ADDR']; Quote
MaKaVeLLi Posted April 2, 2009 Author Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Um, I believe that is what I posted 4 pages back, lol. Just kidding wanted to give ya a little crap. Maybe ya missed it. :-D Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.