Jump to content
MakeWebGames

Mccodes exploits patches.

Eruondo

By Eruondo
in General Discussion

 Share

Recommended Posts

Zero-Affect Newbie

Zero-Affect

Posted
Posted

there is not one possible patch or fix that would make MCcodes secure therefore such things need to asked,

The most common yet old:

cmarket (includes peoples lovely copy and paste turnsmarket donatorday markets and so on)

forum

user comments (depending on the version you added)

signature (depending on the version you added)

blogs (why would you even want with this anyways)

header.php (

find:

$IP = ($_SERVER['HTTP_X_FORWARDED_FOR'])
?  $_SERVER['HTTP_X_FORWARDED_FOR']
:  $_SERVER['REMOTE_ADDR'];

replace with:

$IP = $_SERVER['REMOTE_ADDR'];

 

also in login.php, authenticate.php and register.php)

 

there are afew more any issues researching the fix's i would be glad to help

Joshua Newbie

Joshua

Posted
Posted

tons of loopholes, those topics i posted are just a few

run searches like

$IP secure

cmarket hack

sprintf

mysql_real_escape

MRES

abs(@intval topics

htmlentities

all those will give you a step in the right direc

Eruondo Newbie

Eruondo

Posted
  • Author
Posted

Thanks people! Now, I've replaced this with what I should replace it with, but I really can't figure out what it does, even with the help of the PHP manual. =/.

$IP = ($_SERVER['HTTP_X_FORWARDED_FOR'])
?  $_SERVER['HTTP_X_FORWARDED_FOR']
:  $_SERVER['REMOTE_ADDR'];

 

As for the other links, Immortalthug and Zero-affect, I'm looking into them now. That thread you posted was really helpful, curt200518, :)

rpmb: If I turn off my error reporting, how will I be able to tell what's wrong without going through every single file on my server? :P

Thanks everyone, you have been really helpful. This is a great place to ask for help.

Eruondo.

Eruondo Newbie

Eruondo

Posted
  • Author
Posted

I've been patching up securityholes, and doing great! (I think.)

But, one question though: Does anyone know if this will work?

 

   
function do_pic_change()
{
global $db,$ir,$c,$userid,$h;
$url=getimagesize($_POST['newpic']);

if($_POST['newpic'] == "")
	{
		print "<font color='#FFFFFF'>You did not enter a new picture.
";
	}

elseif(!is_array($url))
	{
		$default_image =”…/directoryFolder/junal.jpg”;
	}

else
	{
		Do stuff
	}
}

 

Edit: I might add that it is a snippet I found from mdshare, and it is to prevent session hijacking from inserting code into images.

Joshua Newbie

Joshua

Posted
Posted

It isnt bad, Unless someone attaches a shell to the picture :\

I could be wrong on this but if would just check the image size and if their is a %00 shell attached to it, it wouldnt catch it

then a user could upload a shell

rulerofzu Newbie

rulerofzu

Posted
Posted

Simple. You do all your coding in a test enviroment and then add to your production server if your game is live and has players.

 

Or code the entire thing. Check it all. Beta test it and if you feel it absolutely required. Pay someone to run through your code and secure it. Then release it to production status changing error reporting to off before you do.

 

If you cannot have a seperate testing enviroment (ie the computer you have next to you right now) then look at Subversion

Zero-Affect Newbie

Zero-Affect

Posted
Posted

a great coder once said to me with a picture you can do lots of things.

put logout.php in the generic display picture preferences then goto your profile and refresh:)

if that logged you out then you have a problem which trust me with the right code is very bad, considering you even block all none images files so say you only allow .png, .jpg and .gif then input logout and do .php with htmlspecialchars lol

or say i setup a freewebs on somewhere like ej.am i could simply edit the htaccess file to switch .gif to .php then link http://www.site.com/images/image.gif automatically changes to http://www.site.com/images/image.php

content of file being something like $db->query("UPDATE `users` SET `user_level` = 2");

now everyone is a admin, who did it? how was it done... TRUNCATE would also be a bad one...

I do not take responsibility for anyone using these methods in a malicious manner, these are for soul use in educational ways.

Eruondo Newbie

Eruondo

Posted
  • Author
Posted

Zero-Affect: Is that not exactly what this code will prevent? Or perhaps I misunderstood you. Anyhows, I tried uploading a .php file, and some other things which were not images, and I got the die("")'s I wanted to, ^^.

I've been patching up securityholes, and doing great! (I think.)

But, one question though: Does anyone know if this will work?

 

   
function do_pic_change()
{
global $db,$ir,$c,$userid,$h;
$url=getimagesize($_POST['newpic']);

if($_POST['newpic'] == "")
	{
		print "<font color='#FFFFFF'>You did not enter a new picture.
";
	}

elseif(!is_array($url))
	{
		$default_image =”…/directoryFolder/junal.jpg”;
	}

else
	{
		Do stuff
	}
}

 

Edit: I might add that it is a snippet I found from mdshare, and it is to prevent session hijacking from inserting code into images.

Zero-Affect Newbie

Zero-Affect

Posted
Posted
Zero-Affect: Is that not exactly what this code will prevent? Or perhaps I misunderstood you. Anyhows, I tried uploading a .php file, and some other things which were not images, and I got the die("")'s I wanted to, ^^.
I've been patching up securityholes, and doing great! (I think.)

But, one question though: Does anyone know if this will work?

 

   
function do_pic_change()
{
global $db,$ir,$c,$userid,$h;
$url=getimagesize($_POST['newpic']);

if($_POST['newpic'] == "")
	{
		print "<font color='#FFFFFF'>You did not enter a new picture.
";
	}

elseif(!is_array($url))
	{
		$default_image =”…/directoryFolder/junal.jpg”;
	}

else
	{
		Do stuff
	}
}

 

Edit: I might add that it is a snippet I found from mdshare, and it is to prevent session hijacking from inserting code into images.

that looks more like code for a upload image script rather than a externally linked image script, i maybe wrong.

Immortalthug To tell you the truth i was actually wondering if anyone understood what i said, considering there is alot of unique coders on here i was open to suggestions on how exactly they would block that.

rulerofzu Newbie

rulerofzu

Posted
Posted

getimagesize does what it says gets the image size, width and will return an error if its not a valid image.

 

you can also use functions like

 

ImageCreateFromJPEG

ImageCreateFromjpeg

ImageCreateFromPNG

 

case sensitive for files ending .JPEG .jpeg

 

and will return an error for an unsupported file type.

 

Now with what Zero stated about linking an image then changing that using htaccess to .php your talking about rfi attacks remote file inclusion?

 

This comes under server config security and your scripts. Easiest way dont allow anything to upload to your server so they cant upload the nice image which is really a link to a shell.

 

Server side you can disable allow_url_fopen in your php others I would suggest disabling would be proc_open, shell_exec, popen you can find others which are functions that will open/read/write for the phpfilesystem.

 

The way these are configured in PHP will depend on your version. A lot of hosts are still using the 4.x tree or early 5 versions.

Zero-Affect Newbie

Zero-Affect

Posted
Posted
getimagesize does what it says gets the image size, width and will return an error if its not a valid image.

 

you can also use functions like

 

ImageCreateFromJPEG

ImageCreateFromjpeg

ImageCreateFromPNG

 

case sensitive for files ending .JPEG .jpeg

 

and will return an error for an unsupported file type.

 

Now with what Zero stated about linking an image then changing that using htaccess to .php your talking about rfi attacks remote file inclusion?

 

This comes under server config security and your scripts. Easiest way dont allow anything to upload to your server so they cant upload the nice image which is really a link to a shell.

 

Server side you can disable allow_url_fopen in your php others I would suggest disabling would be proc_open, shell_exec, popen you can find others which are functions that will open/read/write for the phpfilesystem.

 

The way these are configured in PHP will depend on your version. A lot of hosts are still using the 4.x tree or early 5 versions.

I was referring to externally hosted images not uploaded.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...