Jump to content
MakeWebGames

Securing MCC2


BeastTheKidd

Recommended Posts

All scripts need to be secured. As for any for sell of mccodes, I don't think there is, unless redux is secured, maybe someone can answer that who has used the redux upgrade?...

The parts that need to be secured are forms, anywhere a user is typing in stuff into your database, and ALL queries in your scripts should be secured.

Do not ever go for securing the header.php only, some people think a small code will secure all pages, when it does not secure EVERYTHING, ALL pages needs to be secured!

Link to comment
Share on other sites

The newest patches are much better on this front. v1 I am unsure about, however 2.0.3 has most of the problems fixed in terms of sql injections that can be found thought the web for mcc since it's actually checking the user supplied data. I have not done my own tests since there would be very little point in me doing so, but as fair as I'm aware it's a massive improvement. I have heard of some issues within the source, but it's more of a "this requires to check to insure they should be able to do this" rather then a hack e.g. one admin fedding another admin account. although the way the checks are done done is something people seem to dislike.

More information here - http://makewebgames.io/showthread.php/38706-MCC-v2-0-3/

Redux is secured in the same way. You can find many threads on both versions, and their known issues.

Link to comment
Share on other sites

V2.3 patches fixed some bugs that have been known for a while, Redux is taking a step backwards and reversed the fixes to some of those problems.

So yeah if you cannot do it yourself you will need to get someone else to do it for you, in my opinion Lite is probably the one with the least amount of bugs (I think Danny's version is even better, but haven't looked into it nor do I know if it's still available).

Link to comment
Share on other sites

My opinion is from posts around this forum (since I don't have a copy of 2.03), and would be interested in having some kind of review of the more recent patch. May help people decide when looking to buy it. Just an idea if anyone cares to take the time...

I'm sure Danny's Lite update could always be reposted.

Link to comment
Share on other sites

My opinion was formed from the first thing I saw in Redux

  if ( $_POST['username'] == "" || $_POST['password'] == "" ) {
  die("
<h3>{$set['game_name']} Error</h3>
You did not fill in the login form!<br>
<a href=login.php>> Back</a>
  ");
    }
   $uq = $db->query("SELECT `userid`,`email` FROM `users` WHERE `login_name` = '{$_POST['username']}' AND `userpass` = '".hash('sha256',$_POST['password'])."'");
      if ( $db->num_rows($uq) == 0 ) {
  die("
<h3>{$set['game_name']} Error</h3>
Invalid username or password!<br>
<a href=login.php>> Back</a>
  ");
      } else {
   $_SESSION['loggedin'] = 1;
 $mem=$db->fetch_row($uq);
   $rand_num = rand(1,100000);
   $_SESSION['multi_login'] = md5($mem['email'].$rand_num);
   $_SESSION['userid'] = $mem['userid'];
   $IP = $db->escape($_SERVER['REMOTE_ADDR']); 

In the authenticate.php file. I'll be honest I've not had an in-depth look at Redux either, but from what I have seen it doesn't get much better.

EDIT: Danny's Lite has been added as an attachment (permisson recieved from Danny to post it).

Lite.zip

Edited by Djkanna
Link to comment
Share on other sites

My opinion was formed from the first thing I saw in Redux
  if ( $_POST['username'] == "" || $_POST['password'] == "" ) {
  die("
<h3>{$set['game_name']} Error</h3>
You did not fill in the login form!<br>
<a href=login.php>> Back</a>
  ");
    }
   $uq = $db->query("SELECT `userid`,`email` FROM `users` WHERE `login_name` = '{$_POST['username']}' AND `userpass` = '".hash('sha256',$_POST['password'])."'");
      if ( $db->num_rows($uq) == 0 ) {
  die("
<h3>{$set['game_name']} Error</h3>
Invalid username or password!<br>
<a href=login.php>> Back</a>
  ");
      } else {
   $_SESSION['loggedin'] = 1;
 $mem=$db->fetch_row($uq);
   $rand_num = rand(1,100000);
   $_SESSION['multi_login'] = md5($mem['email'].$rand_num);
   $_SESSION['userid'] = $mem['userid'];
   $IP = $db->escape($_SERVER['REMOTE_ADDR']); 

This is enough to bring me to tears. You definitely need to hire someone to check over your site in any case because I wouldn't personally trust an unsecured version of McCodes on my servers.

Link to comment
Share on other sites

  • 2 weeks later...

Raw post data in a query is very sad indeed. Helped someone using a another engine, not sure wich, its users table was named grpgusers, it has those all over the place :(

Checked out mccodez.com thought Id save myself some time by not programming a game from scratch.

Checked out their demo site, registered and logged in to this screen

 

redux.png

Good thing I used a username and password combo that I dont use on other sites.

  • Like 1
Link to comment
Share on other sites

This is enough to bring me to tears. You definitely need to hire someone to check over your site in any case because I wouldn't personally trust an unsecured version of McCodes on my servers.

I don't recall coding that.

No script is 100% secure look at 2.0.0 compared to 2.0.3 and please tell me there is no security issues fixed and please if you say 2.0.3 is insecure mail me the issues rather than sitting here flapping your mouths and give me the issues. Everyone knows ill fix 100% of my code if there is a issue found but i can't read minds we are all developers are we not its a piss take when people sit there saying its insecure and not even report the issues. its nice when people return the favour isn't it...

I would help any of you with free checks etc and you sit here saying it's insecure without even messaging me.

Link to comment
Share on other sites

Good thing I used a username and password combo that I dont use on other sites.

You are just ignorant.

@Paul: If this was because of your work, then you are to blame.

And then stop being full of yourself and just admit defeat this once. Other websites with your code is also at risk then, and it could come down to you if they get hacked.

Find the problem, and fix it man.

  • Like 1
Link to comment
Share on other sites

I give the floor to people with suggestions on how it may be better secured or to report such insecurities in the script it is true i spent about 2 weeks going through the script and even in that time im sure i never found every single little imperfection in the script although i can say i found more security holes in them 2 weeks than i even considered possible when i originally got the script. I patched outpput and input on many things as i recall i actually considered restructure a few times. Which is where i came up with the idea of redux to sort out the structure and basically make it easier for a developer to find things. Sadly some people did take this as a more difficult approach to the script and dismissed it.

I really appreciate your time to write out your views and thank you for taking the time unlike other people who basically just said 'it\'s ****' and flamed it.

NOTE: while restructuring redux i did a lot more work on the sql and sanitized a lot of stuff

Edited by Paul Evans
Link to comment
Share on other sites

I give the floor to people with suggestions on how it may be better secured or to report such insecurities in the script it is true i spent about 2 weeks going through the script and even in that time im sure i never found every single little imperfection in the script although i can say i found more security holes in them 2 weeks than i even considered possible when i originally got the script. I patched outpput and input on many things as i recall i actually considered restructure a few times. Which is where i came up with the idea of redux to sort out the structure and basically make it easier for a developer to find things. Sadly some people did take this as a more difficult approach to the script and dismissed it.

I really appreciate your time to write out your views and thank you for taking the time unlike other people who basically just said 'it\'s ****' and flamed it.

 

You say you patched input and output on many things, I'm guessing you missed at least a major one, probably alot more. Now, you says its down to the community, Well your wrong. It is us who pays $100+ for McCodes, and $300 previously, why would be pay $400+ for something that isnt far enough advanced to make a useable game, nevermind the fact we have to go through each file, and secure it again, after we shelled out extra for someone to secure it. If I hired a programmer to make me something, and they said it was secure, why would then I need to point out security flaws in said product. Your going about this all wrong paul. Admit that you have missed something, take it on the chin. It not out fault that we paid for something advertised as secure, and didnt point out flaws when you as the programmer shouldn't have left them there in the first place. All the greatest people have made mistakes, what makes them different is that they admit it, try and find a way to fix it, and get back on with their job. You need to do the same.

Link to comment
Share on other sites

Spud i would never admit defeat its not over.

Danny I missed something?

I love this i really do i spent as i said 2 weeks on the project and in that time i found multiple issues people on MWG hadn't even known about because i know this due to helping multiple people in the past with security checks on their projects. I really don't mind if you guys say it's insecure.

I don't see one case of people hacking a website using 2.0.3 and no ones even give a example of the insecurity in the script but yet they are complaining i mean Danny you personally provide me of one insecurity in the script and the way you'd hack it.

^only one mate should be easy considering the script is SO INSECURE.

This is a community no it's not your place to secure the script but as a community you should better the script for other people it's quite selfish of someone to say it's insecure but to never give a example or even give suggestions to the developers of the script.

Microsoft have a report a bug program and so does firefox, google, facebook should i go on? They depend on people reporting bugs as does MC but it seems the community has twisted in bitterness of the time between mc releases. They outsourced mc 2.0.3 to me which is a large improvement on 2.0.2b but i have been away lately yes and im sure alot of you were a little pissed i got the job and you didn't. I did my best at the time with limited time period and it actually works alot better than previous versions. Mc v3 is going to be released soon i hear and then you guys can go forth and complain about something else.

Danny im sure your engine will be quite impressive ill be sure to pay special attention to it just as you have with .3 i always repay favours but like i said earlier 100% security is impossible i will find issues in your script just as you will with my project but the difference is you produced yours from scratch i worked with a already commercial script which already had many haters who even if they got the most secure script in the world would never be happy. I will although help with any insecurities in your script because im not the type of person to just say it's insecure i help.

Link to comment
Share on other sites

Microsoft have a report a bug program and so does firefox, google, facebook should i go on?

Let's put this in perspective though. For the cost of the MCC engine, you could buy a legitimate copy of an entire operating system from Microsoft, not just a few scripts, and that's a hell of a comparison to make. And Google and Mozilla offer their apps (Chrome and Firefox) for free, and as such we cannot sit and make complaints about something we get for free. When you charge $100 when they charge $0, you cannot sit there and make comparisons to them. For $100 a license, you have to be open to criticism where it is due.

Link to comment
Share on other sites

@Paul, it is over - you lost.

But whether you can continue with securing MCC is another part of it.

I know you are a very talented programmer, I've seen your work before. I don't agree with people critisiing the way they do, but as Octarine said, there is no other way to communicate with the MCC developers. I myself have tried to contact ColdBlooded on a few occasions, and the only time he ever replied was when it was about something entirely different than the code. They aren't very responsive, and a approach towards fixing that aspect of MCCodes will benefit them.

Octa made a good suggestion for a solution, a bug tracker.

Link to comment
Share on other sites

A thought however crosses my mind here. Were we, the community, to

better the script, then it is the developers that ultimately gain, not

the users who have paid and will probably keep paying for the privilige

of an insecure script. Redux being a case in point here.

Worrying statement that, by helping a developer of a script you help all buyers of the script including yourself. Updates are free actually 2.0.3 was free to all people who bough v2.0 up over so i don't see a single profit to developers on reporting bugs rather than new sales of the script but if a community was so nice to report bugs in a script they complain about then maybe there would be less complaining and more improvements made to the overall script in question.

EDIT: spud yes a bug tracker is a very very good solution i will put the suggestion forward to CB myself. I have said a few times i would personally take bug reports via mail on here and sort them ready for a new release of mcc v2 patch.

Edited by Paul Evans
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...