MaKaVeLLi Posted March 31, 2009 Author Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Using anything with the "forwarded for" thus far has allowed the game to be compromised when I have tested. I am not saying that code will not work, and sorry if I started a stir but I have just tried 3 out of 3 games from owners that messaged me, and all 3 were compromised easily. Quote Link to comment Share on other sites More sharing options...
Lithium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } Hmmm someone who actually reads posts :) @Makaveli: as for the surprise you have... i wouldn't be that surprised when 95% of the game owners/coders are kids that just learned a new language and they think they know it all just because they were able to install a game and make a few changes to it! Quote Link to comment Share on other sites More sharing options...
Opium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Hmmm someone who actually reads posts :) What do you mean? I never said I created it, nor did MD but i do indeed use it and it seems like a better option than what MC Codes have. Quote Link to comment Share on other sites More sharing options...
Lithium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! What do you mean? I never said I created it, nor did MD but i do indeed use it and it seems like a better option than what MC Codes have. And did i say you created? or mdshare? i'll place it again to see if you can read better this time someone who actually READS posts Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted March 31, 2009 Author Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! True many could be kids. Either way, I just figured it should be addressed. Let them do their thing be it experienced, novice, beginner, whatever in php. I hate to see so many #$%%$holes running around doing this crap. It just ain't cool. Quote Link to comment Share on other sites More sharing options...
Opium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Ahh sorry my bad, long day, got wrong end of stick :lol: Sorry. Quote Link to comment Share on other sites More sharing options...
Lithium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Makaveli: i'm no expert and quite far from that, but it does amuses me and i mean a LOT, seeing those situations. I have fallen and i believe any programmer has too, a few times on exploitable code by ourselves, it happens. the way you deal with it... it is what matters, i don't care if someone found an exploit on my game, i care yes, is to learn how it was done and what i need to do to avoid it. People should learn with their own mistakes! Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted March 31, 2009 Author Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Yeah true, I have fallen victim too. I guess that is still why I feel bad. With this type of thing though, I feel that something like this is much different than your abs(int), cleaning your html input etc. This remains in many owners game files who have been around awhile and they had no clue that such a thing was open to ruin a game. You would be very surprised at some of the new games out with thousands , i means thousands of players that this worked on. If one of the owners is reading this, they know who they are I am helped them quickly and quietly. Quote Link to comment Share on other sites More sharing options...
Dazza Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Mak: Given you a +1 because I was unaware of this, thanks for sharing. I originally thought your motif was more sinister so good on you for this info :-) Quote Link to comment Share on other sites More sharing options...
seanybob Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! /slap dabomstew Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted March 31, 2009 Author Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. :-) Quote Link to comment Share on other sites More sharing options...
Sp1d3r Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. Yes it did, thanks for the slap in the face.... I didn't mean anything bad just didn't understand why this has now just been brought up with all the smarties we have on this site.. Thanks again. Sp1d3r www.chaosrelic.com Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted March 31, 2009 Author Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Thank you so much for the plus 1, I am glad it helped ya out. Yes it did, thanks for the slap in the face.... I didn't mean anything bad just didn't understand why this has now just been brought up with all the smarties we have on this site.. Thanks again. Sp1d3r www.chaosrelic.com You wanna know why it hasn't been brought up? Not directing this towards ALL, but if the shoe fits wear it....It hasn't been brought up because from little kids to grown adults trying to make a legit and fun game, some on these sites don't want or like to see anyone getting a peace of the TEXT GAME PIE! Its money out of their pockets. They feel threatened and don't be surprised if half of them know what it is that I am doing to prove this exploit and have been using themselves. Many have good hearts, but even more are greedy as hell. I will be hated by those that knew about this for bringing this to light. Oh well, let them hate me, I don't need anymore friends, I have enough. :wink: Quote Link to comment Share on other sites More sharing options...
wolfe Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Interesting. Quote Link to comment Share on other sites More sharing options...
Lithium Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! Oh well, let them hate me, I don't need anymore friends, I have enough. :wink: and changing a bit of a quote from a classic movie... "Who needs friends when you got enemies?" (Original quote: "who needs reasons when you got heroin?" - Trainspotting) Quote Link to comment Share on other sites More sharing options...
Cronus Posted March 31, 2009 Share Posted March 31, 2009 Re: Important Security Issue For All McCode Owners ! I believe this is the bug we talked about over the phone, correct? Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted April 1, 2009 Author Share Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Yes bro. Quote Link to comment Share on other sites More sharing options...
k91982 Posted April 1, 2009 Share Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! MaKaVeLLi, can you add me to msn [email protected] Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted April 1, 2009 Author Share Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } I tested the exploit with what you have added above. It didn't work so I would assume it would be safe for many to use. Just figured I would add my comment. :-) Quote Link to comment Share on other sites More sharing options...
Opium Posted April 1, 2009 Share Posted April 1, 2009 Re: Important Security Issue For All McCode Owners ! Ahh, thank you for saying. Quote Link to comment Share on other sites More sharing options...
SteveDave Posted April 2, 2009 Share Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Fair enough.. Why not use this: function validip($IP) { if (!empty($IP) && ip2long($IP)!=-1) { $ReservedIps = array ( array('0.0.0.0','2.255.255.255'), array('10.0.0.0','10.255.255.255'), array('127.0.0.0','127.255.255.255'), array('169.254.0.0','169.254.255.255'), array('172.16.0.0','172.31.255.255'), array('192.0.2.0','192.0.2.255'), array('192.168.0.0','192.168.255.255'), array('255.255.255.0','255.255.255.255') ); foreach ($ReservedIps as $R) { $Min = ip2long($R[0]); $Max = ip2long($R[1]); if ((ip2long($IP) >= $Min) && (ip2long($IP) <= $Max)) return false; } return true; } else { return false; } } function getip() { if (validip(isset($_SERVER['HTTP_CLIENT_IP']))) { return $_SERVER['HTTP_CLIENT_IP']; } foreach (explode(",", isset($_SERVER['HTTP_X_FORWARDED_FOR'])) as $IP) { if (validip(trim($IP))) { return $IP; } } if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_FORWARDED_FOR']))) { return $_SERVER['HTTP_FORWARDED_FOR']; } else if (validip(isset($_SERVER['HTTP_FORWARDED']))) { return $_SERVER['HTTP_FORWARDED']; } else if (validip(isset($_SERVER['HTTP_X_FORWARDED']))) { return $_SERVER['HTTP_X_FORWARDED']; } else { return $_SERVER['REMOTE_ADDR']; } } I tested the exploit with what you have added above. It didn't work so I would assume it would be safe for many to use. Just figured I would add my comment. :-) So that is the fix for this problem? And if so, where should it be added, globals maybe? Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted April 2, 2009 Share Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Those are functions...It will take more than just having them on a file to work. You have to call them up. Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted April 2, 2009 Author Share Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Yes you can add the functions into a global file and call them up as was stated above. Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted April 2, 2009 Share Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Simplest fix to this people is Open and look at all files...ones i can think of off hand are.. authenicate.php, header.php, global_func.php, login.php, register.php just find this code. $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; chagne it to $IP = $_SERVER['REMOTE_ADDR']; Quote Link to comment Share on other sites More sharing options...
MaKaVeLLi Posted April 2, 2009 Author Share Posted April 2, 2009 Re: Important Security Issue For All McCode Owners ! Um, I believe that is what I posted 4 pages back, lol. Just kidding wanted to give ya a little crap. Maybe ya missed it. :-D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.