Joshua Posted October 1, 2009 Share Posted October 1, 2009 For those that are aware of this hack, Could you please post what needs to be done to secure for it? This is not forum injection or cmarket injection. I don't know how much more specific i can/should get. Quote Link to comment Share on other sites More sharing options...
Jeff.S Posted October 1, 2009 Share Posted October 1, 2009 That could be done by SQL injecting which doesn't have to be a specific mod section - i can be any un-secure query! Make sure you check all user data (including the $IP variable for Mccodes). So make sure that mysql_real_escape_string() is atleast used (if nothing else) and is used correctly. There is no single answer to security. Quote Link to comment Share on other sites More sharing options...
chaoswar4u Posted October 1, 2009 Share Posted October 1, 2009 I would say this is the $IP variable hack. Simple search of the forum here will show a multitude of fix methods for this. Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 1, 2009 Author Share Posted October 1, 2009 It's not the IP variable hack, i've installed everything on these Forums I could think of to protect. I did manage to fix it but ...gah It's basically a hack going through the preferances page. They enter certain codes into the Display Pic and when an Admin Views their Profile it makes them auto Admin. I understand how it works, just wasnt sure how to stop it :| Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 1, 2009 Share Posted October 1, 2009 ahh session hijacking validate the image so it is a real image/sig/avatar If they upload the image Check if the uploaded file is an image. This is done using the getimagesize() function: array getimagesize ( string $filename [, array &$imageinfo] ) This function returns an array with specific information regarding the file. To return specific information such as width, height, mime type, channels, the file that is verified should be a valid image. If the return $ is empty, then the uploaded file is not an image. validate a image URL, I found this old stashed away snippet on a removable drive (yea I collect snippets as websites tend to vanish from time to time) $url=getimagesize(”[url]http://www.flickr.com/photos/27505599@N07/2564389539/”[/url]); if(!is_array($url)) { $default_image =”…/directoryFolder/junal.jpg”; } Quote Link to comment Share on other sites More sharing options...
Jeff.S Posted October 2, 2009 Share Posted October 2, 2009 Some useful tips there mdshare Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 2, 2009 Author Share Posted October 2, 2009 Very useful indeed, Thank you for your help, that is a dangerous hack :\ Quote Link to comment Share on other sites More sharing options...
CrazyT Posted October 3, 2009 Share Posted October 3, 2009 Simple fix (Secure the files :) ) Ideas #1 - Move ALL staff files into a folder. #2 - Give staff keys #3 - Profile sig/forum avatar/display pic - Make sure its a picture :) Quote Link to comment Share on other sites More sharing options...
Strats Posted October 5, 2009 Share Posted October 5, 2009 Thanks for hacking my game you piece of shit Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 5, 2009 Author Share Posted October 5, 2009 I beg your pardon? Quote Link to comment Share on other sites More sharing options...
chicka Posted October 5, 2009 Share Posted October 5, 2009 He tried the same thing on my game as well but didn't work...... Thanks to the advice of LazyT/CrazyT....Thanks CT Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 5, 2009 Author Share Posted October 5, 2009 Hrm.. Quote Link to comment Share on other sites More sharing options...
virtualshogun Posted October 5, 2009 Share Posted October 5, 2009 move your staff pannel all togather i know its alot of work but couldnt hurt heck have a bit of fun with them, make staff.php then add #first line tells you who event_add(1,"{$ir['username']} Has just attempted to enter your staff pannel think you might want to do something about it ?",$c); #Fedjail them for 1 million days $db->query("UPDATE fedjail SET fed_days=fed_days+1000000 WHERE userid=$userid",$c); #kick them to fbi.gov for the annoyance value print"<meta http-equiv='Refresh' content='1;url=www.fbi.gov'>"; no warning to them its happening they enter the page they are gone let them try and tell you they didnt later, Quote Link to comment Share on other sites More sharing options...
Strats Posted October 5, 2009 Share Posted October 5, 2009 Immortalthug - You joined my game the other day and used the session hack on it. You only sent out donator packs to the members but it's enough to piss me off. If you ever plan on being a coder or a real game owner I suggest you don't abuse bugs in games. If you know of one you should tell the game owner. Earn some respect. If your not careful the same will happen to you it's called Karma. 8) Quote Link to comment Share on other sites More sharing options...
Strats Posted October 5, 2009 Share Posted October 5, 2009 Simple fix (Secure the files :) ) Ideas #1 - Move ALL staff files into a folder. #2 - Give staff keys #3 - Profile sig/forum avatar/display pic - Make sure its a picture :) Can you Pm about this staff keys idea please hun Quote Link to comment Share on other sites More sharing options...
virtualshogun Posted October 6, 2009 Share Posted October 6, 2009 dont know how effective it would be but you could move the first inital page instead of going straight to the staff pannel have them goto a verify page that requires a password and username to get into the real staff pannel, with a few things in mind, when they are not in the staff pannel or on one of the pages lock it back up forceing them to login each time, i know its more work for the staff but better protected i would think, goto your mainmenu.php change the link to the verify page heck if you could hide the actual staff pannel address under a encoded link name that would be cool so it cannot be just typed in yourgame/staff.php or whatever but also set it to where you do manage to go to the staff pannel passing the verifiy page dont let them in without the information being passed to the staff pannel password whatever, <a href='verifyme.php>Staff Pannel</a> you could put in passwords for each level, or not and dont just trust that staff would logout when done, locking it back up.. so every say 15 minuets (name your own time) they would have to re-verify they are indeed staff and supposed to be allowed into the staff pannel, or get booted, sorta like the image verification for people, staff verify then explain to your staff it would be really stupid to give that password out to people, im working on a verify page ill have it up shortly as a free thing mod it secure it more whatever, anything that helps others out. Quote Link to comment Share on other sites More sharing options...
mdshare Posted October 6, 2009 Share Posted October 6, 2009 Isn't a solution imo you still leave the game open for session hijacking and is it not the point to secure the game ? Not only the staff part. Quote Link to comment Share on other sites More sharing options...
AlabamaHit Posted October 6, 2009 Share Posted October 6, 2009 strats staff 'keys' would be pretty easy. on the staff page. just add $_POST['key'] = abs(@intval($_POST['key'])); if(!isset($_POST['key'])) { echo 'You have to enter your pass key. Please do so below. '; echo '<form action="staff.php" method="post">'; echo '<input type="text" name="key" /> '; echo '<input type="submit" value="Verify" />'; echo '</form>'; } else { if($ir['userid'] == STAFFS ID && $_POST['key'] != $ir['staff_key']) { echo 'Nope you did not get in.'; exit; } else if(ALL OTHERS and so on and on. { } } somethign along that line. But I also agree with MD. The best way is not to make stuff work. But to fix it. You should verify that 'ALL' data in the game when being passed, is what it is supposed to be. Quote Link to comment Share on other sites More sharing options...
girardz Posted October 7, 2009 Share Posted October 7, 2009 Immortalthug - You joined my game the other day and used the session hack on it. You only sent out donator packs to the members but it's enough to piss me off. If you ever plan on being a coder or a real game owner I suggest you don't abuse bugs in games. If you know of one you should tell the game owner. Earn some respect. If your not careful the same will happen to you it's called Karma. 8) in Immortalthug's defence he did get into my game but didnt do anything malicious, instead he notified one of my head admins who was online at the time who reported it to me, took me a few minutes to figure out how but its now fixed temporarily so thanks! Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 7, 2009 Author Share Posted October 7, 2009 I did that to a lot of games but I never did anything malicious. The bug was found on a game I'm currently working on and the user informed me. So i felt it necessary to inform others. Shrugz, Tried to be helpful by checking for the bug and I can't tell you how many people got upset that I "did it" in the first place. Like Chicka, I didnt even do it, I tried. Added the code, then Told chicka to check my profile and she blows up calling me an idiot and it's already been fixed!. Good? If i was trying to hack someones game with malicious intent I wouldnt be emailing the admin telling them I beleive your game has a security leak, check my profile. seriously. :| Quote Link to comment Share on other sites More sharing options...
Guest Null Posted January 3, 2010 Share Posted January 3, 2010 Cant this also be done via Meta Hack in the Player Reports? Quote Link to comment Share on other sites More sharing options...
Joshua Posted January 4, 2010 Author Share Posted January 4, 2010 Yep, several places, forums to ;) Quote Link to comment Share on other sites More sharing options...
iR00T Posted January 4, 2010 Share Posted January 4, 2010 Yes, I got a simple fix. Change the name of your staff_special and anything linking to it, That is a simple secure. Now, you can also secure it but still, I just rename it. You can secure it. Which eventually I do once I have enough time. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted January 4, 2010 Share Posted January 4, 2010 ImmortalThug i thought you was a security expert? GanjaFreak420... Yes, I got a simple fix. Change the name of your staff_special and anything linking to it, That is a simple secure. Now, you can also secure it but still, I just rename it. You can secure it. Which eventually I do once I have enough time. or a better solution would be to recode the ENTIRE staff panel so then it's more difficult for someone to access. Another solution is to add maybe referred link protection so that for example: http://www.website.com/user.php?u=234 couldn't be the referred link to => http://www.website.com/staff_function.php?action=change_status&staff=admin&id=234 Only allow the specific files to be the referring links therefore great protection. Coding your own engine and dropping MCC altogether would be the best solution to these issues, go with horizon or ZAP god even GPRG would be better than MC. Quote Link to comment Share on other sites More sharing options...
Joshua Posted January 4, 2010 Author Share Posted January 4, 2010 zero did you see when I made this post? lol It's been some time :P Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.