Auto-Admin Hack.

[Joshua]

For those that are aware of this hack, Could you please post what needs to be done to secure for it?

This is not forum injection or cmarket injection.

I don't know how much more specific i can/should get.

[Jeff.S]

That could be done by SQL injecting which doesn't have to be a specific mod section - i can be any un-secure query! Make sure you check all user data (including the $IP variable for Mccodes). So make sure that mysql_real_escape_string() is atleast used (if nothing else) and is used correctly.

 

There is no single answer to security.

[chaoswar4u]

I would say this is the $IP variable hack. Simple search of the forum here will show a multitude of fix methods for this.

[Joshua]

It's not the IP variable hack, i've installed everything on these Forums I could think of to protect. I did manage to fix it but ...gah

It's basically a hack going through the preferances page. They enter certain codes into the Display Pic and when an Admin Views their Profile it makes them auto Admin.

I understand how it works, just wasnt sure how to stop it :|

[mdshare]

ahh session hijacking

validate the image so it is a real image/sig/avatar

If they upload the image

Check if the uploaded file is an image. This is done using the getimagesize() function:

 

array getimagesize ( string $filename [, array &$imageinfo] )

 

This function returns an array with specific information regarding the file. To return specific information such as width, height, mime type, channels, the file that is verified should be a valid image. If the return $ is empty, then the uploaded file is not an image.

validate a image URL, I found this old stashed away snippet on a removable drive (yea I collect snippets as websites tend to vanish from time to time)

 

$url=getimagesize(”[url]http://www.flickr.com/photos/27505599@N07/2564389539/”[/url]);

if(!is_array($url))

{

$default_image =”…/directoryFolder/junal.jpg”;

}

[Jeff.S]

Some useful tips there mdshare

[Joshua]

Very useful indeed, Thank you for your help, that is a dangerous hack :\

[CrazyT]

Simple fix (Secure the files :) )

Ideas

#1 - Move ALL staff files into a folder.

#2 - Give staff keys

#3 - Profile sig/forum avatar/display pic - Make sure its a picture :)

[Strats]

Thanks for hacking my game you piece of shit

[Joshua]

I beg your pardon?

[chicka]

He tried the same thing on my game as well but didn't work...... Thanks to the advice of LazyT/CrazyT....Thanks CT

[Joshua]

Hrm..

[virtualshogun]

move your staff pannel all togather i know its alot of work but couldnt hurt heck have a bit of fun with them,

make staff.php

then add

#first line tells you who

event_add(1,"{$ir['username']} Has just attempted to enter your staff pannel think you might want to do something about it ?",$c);

#Fedjail them for 1 million days

$db->query("UPDATE fedjail SET fed_days=fed_days+1000000 WHERE userid=$userid",$c);

#kick them to fbi.gov for the annoyance value

print"<meta http-equiv='Refresh' content='1;url=www.fbi.gov'>";

no warning to them its happening they enter the page they are gone let them try and tell you they didnt later,

[Strats]

Immortalthug -

You joined my game the other day and used the session hack on it.

You only sent out donator packs to the members but it's enough to piss me off.

If you ever plan on being a coder or a real game owner I suggest you don't abuse bugs in games.

If you know of one you should tell the game owner.

Earn some respect.

If your not careful the same will happen to you it's called Karma.

8)

[Strats]

Simple fix (Secure the files :) )

Ideas

#1 - Move ALL staff files into a folder.

#2 - Give staff keys

#3 - Profile sig/forum avatar/display pic - Make sure its a picture :)

Can you Pm about this staff keys idea please hun

[virtualshogun]

dont know how effective it would be but you could move the first inital page instead of going straight to the staff pannel have them goto a verify page that requires a password and username to get into the real staff pannel, with a few things in mind, when they are not in the staff pannel or on one of the pages lock it back up forceing them to login each time, i know its more work for the staff but better protected i would think,

goto your mainmenu.php change the link to the verify page heck if you could hide the actual staff pannel address under a encoded link name that would be cool so it cannot be just typed in yourgame/staff.php or whatever but also set it to where you do manage to go to the staff pannel passing the verifiy page dont let them in without the information being passed to the staff pannel password whatever,

<a href='verifyme.php>Staff Pannel</a>

you could put in passwords for each level, or not and dont just trust that staff would logout when done, locking it back up.. so every say 15 minuets (name your own time) they would have to re-verify they are indeed staff and supposed to be allowed into the staff pannel, or get booted, sorta like the image verification for people, staff verify then explain to your staff it would be really stupid to give that password out to people, im working on a verify page ill have it up shortly as a free thing mod it secure it more whatever, anything that helps others out.

[mdshare]

Isn't a solution imo you still leave the game open for session hijacking and is it not the point to secure the game ? Not only the staff part.

[AlabamaHit]

strats staff 'keys' would be pretty easy.

 

on the staff page.

just add

 

$_POST['key'] = abs(@intval($_POST['key']));
if(!isset($_POST['key']))
{
 echo 'You have to enter your pass key. Please do so below.

';
 echo '<form action="staff.php" method="post">';
 echo '<input type="text" name="key" />

';
 echo '<input type="submit" value="Verify" />';
 echo '</form>';
}
else
{
 if($ir['userid'] == STAFFS ID && $_POST['key'] != $ir['staff_key'])
 {
   echo 'Nope you did not get in.';
   exit;
 }
 else if(ALL OTHERS and so on and on.
 {
 }
}

 

somethign along that line.

But I also agree with MD. The best way is not to make stuff work. But to fix it. You should verify that 'ALL' data in the game when being passed, is what it is supposed to be.

[girardz]

Immortalthug -

You joined my game the other day and used the session hack on it.

You only sent out donator packs to the members but it's enough to piss me off.

If you ever plan on being a coder or a real game owner I suggest you don't abuse bugs in games.

If you know of one you should tell the game owner.

Earn some respect.

If your not careful the same will happen to you it's called Karma.

8)

in Immortalthug's defence he did get into my game but didnt do anything malicious, instead he notified one of my head admins who was online at the time who reported it to me, took me a few minutes to figure out how but its now fixed temporarily so thanks!

[Joshua]

I did that to a lot of games but I never did anything malicious. The bug was found on a game I'm currently working on and the user informed me. So i felt it necessary to inform others.

Shrugz, Tried to be helpful by checking for the bug and I can't tell you how many people got upset that I "did it" in the first place.

Like Chicka, I didnt even do it, I tried. Added the code, then Told chicka to check my profile and she blows up calling me an idiot and it's already been fixed!.

Good? If i was trying to hack someones game with malicious intent I wouldnt be emailing the admin telling them

I beleive your game has a security leak, check my profile.

seriously. :|

[Guest Null]

Cant this also be done via Meta Hack in the Player Reports?

[Joshua]

Yep, several places, forums to ;)

[iR00T]

Yes, I got a simple fix. Change the name of your staff_special and anything linking to it, That is a simple secure. Now, you can also secure it but still, I just rename it. You can secure it. Which eventually I do once I have enough time.

[Zero-Affect]

ImmortalThug i thought you was a security expert?

GanjaFreak420...

Yes, I got a simple fix. Change the name of your staff_special and anything linking to it, That is a simple secure. Now, you can also secure it but still, I just rename it. You can secure it. Which eventually I do once I have enough time.

or a better solution would be to recode the ENTIRE staff panel so then it's more difficult for someone to access. Another solution is to add maybe referred link protection so that for example:

http://www.website.com/user.php?u=234

couldn't be the referred link to =>

http://www.website.com/staff_function.php?action=change_status&staff=admin&id=234

Only allow the specific files to be the referring links therefore great protection.

Coding your own engine and dropping MCC altogether would be the best solution to these issues, go with horizon or ZAP god even GPRG would be better than MC.

[Joshua]

zero did you see when I made this post? lol

It's been some time :P