Known Hacks

[Taxed]

Hi,

I am starting this post to keep a detailed list for public use detailing known hacks in the Gangster Legends Engine and reccomendations on how to solve them. This is not a full list of hacks, only the hacks we have found. A brief hack session to test basic security performed by Zero-Affect came back positive with only two hacks found. This does not however mean that there are no more bugs in the engine.

Undifined Location Hack - Documented: 02/02/2010

This hack is performed on the register page and allows a hacker to set an undifined location upon registration. The problem is specifically caused by allowing the players the choose their starting location.

Recommended Fix

Use a predifined starting location and remove the option from your HTML Form. Set your SQL to use a predifined number upon row creation and remove the php for the location from the register.php.

Session Hack - Documented: 02/02/2010

This session hack is performed using the standard instant chat system that comes by default with Gangster Legends. The chat system can be used by hackers to steal single player sessions or given enough time the majority of your player base. Provided they have prior knowledge of the GL database structure and naming conventions they could manipulate the database causing you to lose control of your game.

Recommended Fix

Im sure you could fix this by using "html_entity_decode" and "stripslashes" but I havent tested it myself. I personally removed the chat and intergrated a more personalized instant chat. But there are methods out there you could use to secure the chat if you dont want to intergrate a better one.

 

I hope the documentation on these known hacks helps you. I will add more if/when we find any more.

[Zero-Affect]

Yeah like i said when doing it, i only had a small amount of time to run through some basic stuff but with more time i could most likely come up with afew more. I will at some point give it another go.