Eruondo Posted November 8, 2009 Posted November 8, 2009 I need them for - well, all known mccodes exploits. There you go. I've searched the forums, but I can't find anything, and I'm hoping that someone is willing to share them with us, =) Thanks! Regards, Eruondo. Quote
Curt Posted November 8, 2009 Posted November 8, 2009 as far as i know there is no "patch" to secure mccodes. You will need to get a basic understanding of security and go through all pages and secure them. or do it the lazy way by paying someone to do it for you :P... btw there are plenty of topics bout security this is what u need to be looking up. cheers Quote
Eruondo Posted November 8, 2009 Author Posted November 8, 2009 Well, perhaps patch is the wrong word. I'm looking for a little information like: "There's a hack at cmarket.php and here is how you fix it:" I went through all my files, securing them manually, but it turns out I did it wrong, so I'll have to do it again. That's kind of why I would like to see if anyone had any information about that. Regards, Eruondo. Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 As right now this this and creating mods is what I'm doing to make money, i'll offer some free advice :) There is no patch that will secure your game. You can search the forum and stop the original Cmarket and Forums hack. You can search the forum and stop the IP hack. I even got some people posting on how to stop the Display Picture hack. However...Secure all 3 of those, and I still bet you money within 2 minutes I could become an admin on your site, re-direct your site, and give you about 100k NPC bot users. Sadly, there is no quick fix. Anyone who tells you they have a script for your *header* that will secure it doesnt know a lick about PHP. Good luck with your site, and learning PHP. Quote
The Chaotic Banana Posted November 8, 2009 Posted November 8, 2009 Security As right now this this and creating mods is what I'm doing to make money, i'll offer some free advice :) There is no patch that will secure your game. You can search the forum and stop the original Cmarket and Forums hack. You can search the forum and stop the IP hack. I even got some people posting on how to stop the Display Picture hack. However...Secure all 3 of those, and I still bet you money within 2 minutes I could become an admin on your site, re-direct your site, and give you about 100k NPC bot users. Sadly, there is no quick fix. Anyone who tells you they have a script for your *header* that will secure it doesnt know a lick about PHP. Good luck with your site, and learning PHP. I beg to differ 100k NPC Bots easy to stop auto admin easily fixed Id say yes that you cant fully secure everything as theres always a %1 chance someone will bypass it and No there is no quick fix as Immortal Said Good Luck with PHP regards TCB Quote
Eruondo Posted November 8, 2009 Author Posted November 8, 2009 Aww.. Crap. Still, thanks though. Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 You beg to differ, what's your site ;) Auto Admin isnt entirely easy to stop.. For one, unless you go through and secure every spot for player form input data, i can do it UNLESS you rename your staff_special.php file and all the queries calling to it, which is what i normally do. Then you have to worry about shell uploads into your file manager. Just securing preferances doesnt stop auto admin ;) I can get auto admin through about 19 differant mods. Quote
The Chaotic Banana Posted November 8, 2009 Posted November 8, 2009 You beg to differ, what's your site ;) Auto Admin isnt entirely easy to stop.. For one, unless you go through and secure every spot for player form input data, i can do it UNLESS you rename your staff_special.php file and all the queries calling to it, which is what i normally do. Then you have to worry about shell uploads into your file manager. Just securing preferances doesnt stop auto admin ;) I can get auto admin through about 19 differant mods. Auto admin Lolz for one my game doesent run on user_level anymore so that would stop you in most of your hacks and uploads into my file manager LMFAO xD and staff special i dont need rename or do anything to as it dont run on user_level XDXD Quote
Agon Posted November 8, 2009 Posted November 8, 2009 Extortion must come to an end when it comes to security. This sort of knowledge should be free and available. Quote
seanybob Posted November 8, 2009 Posted November 8, 2009 You beg to differ, what's your site ;) Auto Admin isnt entirely easy to stop.. For one, unless you go through and secure every spot for player form input data, i can do it UNLESS you rename your staff_special.php file and all the queries calling to it, which is what i normally do. Then you have to worry about shell uploads into your file manager. Just securing preferances doesnt stop auto admin ;) I can get auto admin through about 19 differant mods. Sigh. My 'E-Peen' is bigger! No, honestly though, these kind of posts get me going. A kid talking about what a 'bad boy' hacker he can be, and not writing an informative post about the vulnerabilities he has seen. Even beyond that, proclaiming a sort of final, expert knowledge on a subject I doubt he's known for more than a year or two and probably learned through mccodes. Auto admin is easy to stop. For one, unless you go through and secure every spot for player form input data, i can do it A simple for loop in your header.php will take care of this on all pages except for login and register. UNLESS you rename your staff_special.php file and all the queries calling to it, which is what i normally do. All staff pages (by their very nature) should be closed to anyone not of the owner's IP. Barring that, at least closing them to anyone who doesn't have the owner's userid would work just fine. Then you have to worry about shell uploads into your file manager. Not if you don't re-invent the wheel. Don't use the mccode forum system, get smf or phpbb. Don't allow users to upload images, require them to do it off-site (on photobucket or imageshack or something). Don't allow complicated user inputs for profile signatures, profile pictures, etc - require an approval process where an admin checks the input string for profile image changes if you're not good with regular expressions and can't do the image size trick mdshare posted in these forums. I can get auto admin through about 19 differant mods. Congratulations. To Eruondo, You can do a decent job securing your site yourself. Be careful about what mods you choose to install, as most of them have gaping security holes. As for the mccodes game engine itself, there are a lot of holes... do your best searching these forums for specific hacks/issues others have had, and implementing their solutions. If you don't have the php experience necessary to write your own security, then that's pretty much the best you can do if you don't have a thick wallet. I'd like to help you mate, but I don't have the time to dedicate to it. If you're still looking for help when summer time rolls around, I'd be happy to help then. Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 Again Refer to your original post You said it's an "easy" fix. How many users that don't know what they are doing very well can change their user level option to something else? hmm? Especially going through all the files that call for user_level :p It's not so "easy" of a fix. I didnt say it's not stoppable. I said Easy fixes won't stop it, which is what this post was originally about and what people are asking for. Easy? ;) Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 And to "supermod" If you look on these forums there are MULTIPLE posts I've helped informing users what needs to be done to secure their site. But I've also learned that none of them are going to read them and will keep asking the same post day in and day out what's the one liner to secure my site? The answer is, there is no such thing. That's why a lot of people charge a lot of money to re-write engines, re-name tables etc. The problem with Mccrap is, everyone knows your table names and this is used for exploitation. Quote
The Chaotic Banana Posted November 8, 2009 Posted November 8, 2009 Again Refer to your original post You said it's an "easy" fix. How many users that don't know what they are doing very well can change their user level option to something else? hmm? Especially going through all the files that call for user_level :p It's not so "easy" of a fix. I didnt say it's not stoppable. I said Easy fixes won't stop it, which is what this post was originally about and what people are asking for. Easy?.:) I would say easy yeah as its not that big really xD Changing user_level to somthing_somthing ISNT THAT hard to do in every file. Yeah maybe they are newbies at coding but someone would post it with a txt file of how to do it now is it that hard really id do it myself xD.. Auto admin may be hard to stop as I said it was easy I apologise for that Its not but it can be secured to an extent. TCB Quote
The Chaotic Banana Posted November 8, 2009 Posted November 8, 2009 The problem with Mccrap is, everyone knows your table names and this is used for exploitation. It maybe mc crap but youve still used It like every other person has xD it still use to be your source code and maybe still is xD TCB Also the answer to your question would be this I use to own http://www.criminal-madness.co.uk untill Crazy T decided to do a take down notice to my host for not having a mc codes v2 License so Im not bothered really xD Tcb Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 Yeh it is easy for you or me, but aside from taking the time out to do a full write up for all users on how to do it, which i just don't have time right now :\ It's not so easy hehe ;) Anywho, not trying to argue here, it's just i'm getting to where i see these posts daily and there are dozens if not hundres of posts on where to start on fixing them, Search feature people really :p it's there, just have to spend time looking into it hell in the past few weeks i've posted some basic fixes and where to looks as for a simple statement in header supermod, that's not going to work. You cant stop meta tags in forms with header junk. You can try, but some idiot is always going to know more than you and figure a way around it. Meta Tags and java boxes are used for tons of stuff ;) food for thought :O Quote
Agon Posted November 8, 2009 Posted November 8, 2009 RTFM right? Might as well just close the entire board and replace it with a link to Google search. Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 Well People do write ups every day just about You really think that someone is going to write it up EVERY SINGLE time someone asks how to do it? get real. Search the boards. Quote
Joshua Posted November 8, 2009 Posted November 8, 2009 Seriously folks, after literally 3 minutes of the search feature i found all these, 3 minutes of looking. If i took time out of my day to actually search the boards, i could probably get a list of over 200 links. Just because you are to lazy and would rather make a new post each time you want security done doesnt mean we are going to reply. I help where I can and when I can as paying back to mwg for teaching me things I didnt know. But i'll be D**ned if every single time someone posts how to i'm going to find links and tell them. If you don't know how to secure your site, and you are to lazy to learn how to do it. Go to File Manager Click on public_html click Delete. Grab another hobby. There is no..here....i'll repeat again. THERE IS NO THERE IS NOTHERE IS NO THERE IS NO THERE IS NO THERE IS NO THERE IS NO THERE IS NO Quick fix for security. Someone will always be better than you. If you want your site secure for real, go through every damn file and secure it. $_GET, $_POST, Being 2 major keys. SprintF to clean data the list goes on. Even if you paid ME to do it, or anyone, it's not going to be 100% secure. You want a really secure game? Have a new engine custom designed for you, OR go through and re do every single McCodes file and Database table, then hope and pray to god you won't get hacked. Even the most secure site on the planet is only 99%. Watch out for this hacker question about XSS hacks.. Secured Preferances, 1 small error. Secure all pages using globals or header Help !!URGENT!! secure sprintf() Query.. Secure mccodes How Can I Secure A Game? [mccode] 8 Lines to secure your site from known sql injections. How to secure a few things! Quote
seanybob Posted November 8, 2009 Posted November 8, 2009 Watch out for this hacker question about XSS hacks.. Secured Preferances, 1 small error. Secure all pages using globals or header Help !!URGENT!! secure sprintf() Query.. Secure mccodes How Can I Secure A Game? [mccode] 8 Lines to secure your site from known sql injections. How to secure a few things! Thank you Immortalthug for posting these links for the OP. I'm sure they will help him. Quote
rulerofzu Posted November 8, 2009 Posted November 8, 2009 Then you have to worry about shell uploads into your file manager. php disable functions Not much point in securing your files at all if your going to leave your server open to attack. Make sure you chose a host that knows what its doing :D McCodes should include in the install instructions. Insecure please secure all files before uploading if you dont know what your doing pay someone that does. Thats what professionals are for. Quote
Zero-Affect Posted November 9, 2009 Posted November 9, 2009 In your shoes i would change game engine rather than using MC codes use maybe hirizons engine or something with more security than MC codes. Quote
Joshua Posted November 9, 2009 Posted November 9, 2009 I disagree slightly Zero :P Although mccodes is unsecure as crap It is fixable. other than the .1% chance someone can get into any thing ;) Just takes a lot more work than most are willing to put into i i.e renaming all database tables securing and renaming all files special folders for certain files like crons and staff stuff, and a secure host. Do-able, whether or not people want to or why not just build a new game engine instead tho... well...there are so many mods made "for" mccodes that's probably part of the reason ;) Tons of free mods that you don't have to write yourself :P Quote
Zero-Affect Posted November 9, 2009 Posted November 9, 2009 I personally have recoded every single PHP file for MCcodes and still have minor issues with it i have only heard of one bug with horizons game Engine yet i know of about 20 MCcodes ones off by heart, alot more if they add some code from MWG's free plugin section. Therefore renaming the users table would not be difficult to find out one error and wow the new name is shown... It is not so simple, just secure your code and then you will have no issue with changing your tables, when PHP is updated all scripts can become less secure, best to lookup on that. I do although have about 6-7 month experience with messing with MC codes script only therefore not so difficult to understand how exploits are done. behind that i have another 5 years of working with PHP. Quote
Eruondo Posted November 9, 2009 Author Posted November 9, 2009 Watch out for this hacker question about XSS hacks.. Secured Preferances, 1 small error. Secure all pages using globals or header Help !!URGENT!! secure sprintf() Query.. Secure mccodes How Can I Secure A Game? [mccode] 8 Lines to secure your site from known sql injections. How to secure a few things! Thanks! I tried searching the forum, but all I found was topics where people asked how to do it, none that actually described how to do it. Search-incompetence FTW. To everyone else: Thank you for all the good tips! I've begun reading up on the links and topics you've suggested. Regards, Eruondo. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.