Joshua Posted October 26, 2009 Share Posted October 26, 2009 Ok, so Granted i don't know EVERYTHING...but after 8 months now of working on my own site and dealing with attempted hacks, I've learned a few things. I figured i' d make this post as just saying (Secure ALL pages) Doesn't appear to get through to people and for SOME reason everyone thinks that a few Header inserts will stop a hack. Let me help you better understand why THIS is not going to stop anything. 1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that. They make sure the user is the Right user. That's it, nothing more. So while that may stop a quick URL injection hack, it doesnt stop SQL injections in your forums or any other form of hack XSS shell etc. __________________ 2. $IP hack is about one of the Only fixes I've seen on this board that helps stop a full fledged hacker that has more than 2 hacks to copy and paste. People were using an Older version of Firefox and an X sploofer to IP hack games and make themselves admins. The $IP secure stops this. _________________________ Here are the Following pages that I know of that are exploitable and should be secured, Use mysql_real_escape To secure $_POSTS and $_GETS in all these folders, that's a starter. Forum TOPIC Forum SUBJECT----Even with the secured forums <meta tag> hacks will work on those 2. Secure them or even better, Ban if someone tries it automatically. Signature--Again, <meta hacks> Can use signature to A. Auto admin when an Admin views your profile. or B. Re-Direct users to another site when they view your profile.. or C. The possibilites are endless. Display Pic---By inserting hacks, users can become admin upon being viewed, just as Sig. Username: Make sure they can't enter hacks, secure your names. Forum Avatar/Sig---AGAIN secure this. Player Report---it's a form, It can be exploited. Bug Report---Another exploitable form. Player Ads---Exploitable forms Staff Apps--Forms Basically Any page where you can Insert Form Data is the most susceptible to malicious attacks. Secure all your $_GET and $_POST variables when possible and to prevent SHELL type hacks. Also learn to use sprintf( to clean all data. Never share your Cpanel access with ANYONE you can't trust. Change your password every so often--Keep it Difficult, dont make it "cool" or "silver" Try adding characthers and remember them such as... iam!!elite2 View your Error logs!--This will tell you where people are trying to access your site! It also tells you their I.P for banning reasons :-) and helps you out with any little bugs you may encounter. If you are able to do so Change your staff_special folder over to a differant name no one will find out or guess. Then stick it in a specially named folder...go into everything that calls for staff special and rename it to your new name/location. That will stop the Auto Admin problem 100%. Unless they manage to upload a shell >< That's all for now, I'll edit if i remember any more stuff. If you have questions about just how to do any of the stuff i asked, they make this BEAUTIFUL little feature, it's up top of the boards in the Right Hand corner, right next to a pretty green arrow..called.> SEARCH Thanks :) ----IF YOU HAVE any question as to whether your site is vulnerable to hacks, Message me here or on msn [email protected] and I'll attempt the few that I have discovered. --Nothing Malicious like a Shell Upload as I'm not sure how that one works-- Then you will know where to start. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted October 26, 2009 Share Posted October 26, 2009 Just a little thing I'm not going to say anything else as at least your helping :) 1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that. They make sure the user is the Right user. That's it, nothing more. ^^ That makes sure that it's an actual number.. :) Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 26, 2009 Author Share Posted October 26, 2009 yeh i'm thinking userid :p but stops other minor things as well ^_- nice catch. Quote Link to comment Share on other sites More sharing options...
Nicholas Posted October 27, 2009 Share Posted October 27, 2009 may i just add? wouldnt the best way to stop people from becoming admins automaticly is to change the user_level in the database to something else that no one ever guess and then go on every single page of the game and find the if($ir['user_level'] == 1) if($ir['user_level'] == 2) if($ir['user_level'] == 3) if($ir['user_level'] == 4) so on... then change the user_level part into what you changed it into on the database? or can they still make themselfs admin? Quote Link to comment Share on other sites More sharing options...
Joshua Posted October 27, 2009 Author Share Posted October 27, 2009 That's a "quick" fix as well, as it's only a matter of time before it's guessed, not to mention, youd have to change A LOT of files and update your SQL database tables. It's much easier just to re-name files and change in the script, hide files, pword protect files etc. If they want to find the user level, it wouldn't be to hard :P Quote Link to comment Share on other sites More sharing options...
Dillion & Amanda 4 Lif Posted June 4, 2010 Share Posted June 4, 2010 If you dont want anyone to be staff, put the staff files in a directory, pword protect it with .htaccess, and absolutely let noone know the password but you. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 4, 2010 Share Posted June 4, 2010 or add something simple like if ( $ir['user_level'] > 1 && !in_array($userid, array(1,2,4,6,8)) ) { // the array could be set in settings so and edited simply when new staff are made/promoted. echo ' You\'re not staff... Buzz Off '; die $h->endpage(); } Quote Link to comment Share on other sites More sharing options...
Jordan Palmer Posted June 4, 2010 Share Posted June 4, 2010 If you dont want anyone to be staff, put the staff files in a directory, pword protect it with .htaccess, and absolutely let noone know the password but you. That is plain N00BISH. Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 4, 2010 Share Posted June 4, 2010 Why wouldnt you want anyone to be staff. Duh... Quote Link to comment Share on other sites More sharing options...
Danny696 Posted June 4, 2010 Share Posted June 4, 2010 Use a .htpassword program. Ver simple to use; Heres one im using: http://tools.dynamicdrive.com/password/ Quote Link to comment Share on other sites More sharing options...
Dillion & Amanda 4 Lif Posted June 4, 2010 Share Posted June 4, 2010 I was just offering the most obvious solution. I use a bit more complex version of the staff system, with user groups, each staff ( when i do have any ) that are in the important ranks will be given their own htpassword, etc. etc. Much better solution. Quote Link to comment Share on other sites More sharing options...
Dillion & Amanda 4 Lif Posted June 5, 2010 Share Posted June 5, 2010 Ok, so Granted i don't know EVERYTHING...but after 8 months now of working on my own site and dealing with attempted hacks, I've learned a few things. I figured i' d make this post as just saying (Secure ALL pages) Doesn't appear to get through to people and for SOME reason everyone thinks that a few Header inserts will stop a hack. Let me help you better understand why THIS is not going to stop anything. 1. abs@intval in header for securing users ID, ViewTopic and ViewForum, stop just that. They make sure the user is the Right user. That's it, nothing more. So while that may stop a quick URL injection hack, it doesnt stop SQL injections in your forums or any other form of hack XSS shell etc. __________________ 2. $IP hack is about one of the Only fixes I've seen on this board that helps stop a full fledged hacker that has more than 2 hacks to copy and paste. People were using an Older version of Firefox and an X sploofer to IP hack games and make themselves admins. The $IP secure stops this. _________________________ Here are the Following pages that I know of that are exploitable and should be secured, Use mysql_real_escape To secure $_POSTS and $_GETS in all these folders, that's a starter. Forum TOPIC Forum SUBJECT----Even with the secured forums <meta tag> hacks will work on those 2. Secure them or even better, Ban if someone tries it automatically. Signature--Again, <meta hacks> Can use signature to A. Auto admin when an Admin views your profile. or B. Re-Direct users to another site when they view your profile.. or C. The possibilites are endless. Display Pic---By inserting hacks, users can become admin upon being viewed, just as Sig. Username: Make sure they can't enter hacks, secure your names. Forum Avatar/Sig---AGAIN secure this. Player Report---it's a form, It can be exploited. Bug Report---Another exploitable form. Player Ads---Exploitable forms Staff Apps--Forms Basically Any page where you can Insert Form Data is the most susceptible to malicious attacks. Secure all your $_GET and $_POST variables when possible and to prevent SHELL type hacks. Also learn to use sprintf( to clean all data. Never share your Cpanel access with ANYONE you can't trust. Change your password every so often--Keep it Difficult, dont make it "cool" or "silver" Try adding characthers and remember them such as... iam!!elite2 View your Error logs!--This will tell you where people are trying to access your site! It also tells you their I.P for banning reasons :-) and helps you out with any little bugs you may encounter. If you are able to do so Change your staff_special folder over to a differant name no one will find out or guess. Then stick it in a specially named folder...go into everything that calls for staff special and rename it to your new name/location. That will stop the Auto Admin problem 100%. Unless they manage to upload a shell >< That's all for now, I'll edit if i remember any more stuff. If you have questions about just how to do any of the stuff i asked, they make this BEAUTIFUL little feature, it's up top of the boards in the Right Hand corner, right next to a pretty green arrow..called.> SEARCH Thanks :) ----IF YOU HAVE any question as to whether your site is vulnerable to hacks, Message me here or on msn [email protected] and I'll attempt the few that I have discovered. --Nothing Malicious like a Shell Upload as I'm not sure how that one works-- Then you will know where to start. Well aren't you supposed to secure every page? Guide is great, just saying. I think you posted this a while back though, so im sure you know by now. As for meta tags working on secured forums, It doesn't work on the ones i made. Quote Link to comment Share on other sites More sharing options...
Zero-Affect Posted June 5, 2010 Share Posted June 5, 2010 Best to edit all the files really IMO Quote Link to comment Share on other sites More sharing options...
Dominion Posted June 5, 2010 Share Posted June 5, 2010 most of the so called "main" files are posted up and secured for free you can get away with having around 80% of your files secure to stop noobs (can be done with free mods and some paid work) but want 100% really as already said Quote Link to comment Share on other sites More sharing options...
furydevo Posted June 5, 2010 Share Posted June 5, 2010 Sorry if I'm a bit off-topic, but isn't this board for "Non-MCCode Game Support"? A lot of the posts are MCCode-specific. Quote Link to comment Share on other sites More sharing options...
Guest Posted June 6, 2010 Share Posted June 6, 2010 A must read? Think you got the wrong word... "Must be failure" Quote Link to comment Share on other sites More sharing options...
DougK Posted June 14, 2010 Share Posted June 14, 2010 One really big thing that I see missing... NEVER take raw input (PHP $_GET, $_POST or $_REQUEST) and put it directly into a query. This is just asking for trouble, as it opens up a hole for SQL injections. Always sanitize any values that are going into the database queries, even if they are generated by a function. For example, if you have a dropdown box for selecting something, do NOT trust the value that you are getting just because it is not simple to change the values. There are plenty of tools out there that allow someone to intercept and modify data before it goes to the webserver. So, how do you sanitize your input? Check to make sure it is a value you expect. If you are looking for an integer, there should be no characters in it. is_int, is_double, is_string, and is_object are helpful for this. If you are expecting a URL (say for a picture) You should make sure that it is properly formatted. Regex checking comes in handy here. If it is something that you want to accept HTML (forums, mail, signatures, etc) I would suggest using striptags to remove any unwanted tags. Alternatively, you could block all html and only allow bbcodes or your own variation of. The newest version of PHP has bbcode functionality already built in, I believe it started with PHP 5.2.0, but I am not entirely sure. While mysql_real_escape_string is a good start, you may want to use trim to remove extraneous whitespace from a string (newline, space, tab, carriage return, null-byte, etc) A simple function for this would be: function make_safe($var, $allowablehtml='<a> <img>') { $var = mysql_real_escape_string(trim($var)); //escape any special characters and remove trailing whitespace $var = strip_tags($var, $allowablehtml); //remove unwanted HTML $var = str_replace("\r\n", "", $var); //remove any carriage returns or newlines in the string. return $var; } You can also add htmlentites to the function to convert any html special characters into their encoded equivalents, however this will render any real HTML input invalid because the resulting output when viewed in a browser will look like the actual HTML code. html_entity_decode will undo htmlentities if needed. You could add a simple function that is called with every page load that automatically puts any input from the user through the make_safe function, but I would not advise doing so as there may be times when you want to be able to put in input that would be damaged by make_safe. That aside, if you are making your own game from scratch, do not use an easy-to-guess table structure. If you keep the tables hard to guess, it is just that much more unlikely that a malicious user will be able to do anything. Also, it is a good idea to keep data that your users can edit separate from data that only the game itself should change. For example, username, profile, signature, etc should all be in one table; stats and player data should be in another. This will prevent a player from being able to credit themselves stats with an SQL injection, which shouldn't be a problem if you follow the above but having an extra layer of security never hurts. Another thing you can do, if your webhost allows it, is to create different database users for different tasks. Have one user that only allows select, one that only allows update, one that allows delete, and one that allows create. This isn't a major issue, as PHP does not support multiple queries in a single mysql_query statement, so someone trying to do a '; DROP TABLE users; -- would not be able to do any harm. I'm not sure if ADODB has this same function, it looks like it does. Again, if you are checking anything and cleaning it up before putting it into a query, this wouldn't do much. I hope my rambling makes sense. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.