The Coder Posted September 9, 2012 Share Posted September 9, 2012 Hey, I wanted to know, if someone could re-direct me to a forum thread explaining how to remove all use of your Crons to Timestamps? On a side note, is there any actual difference other then the obvious one? Thanks. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 9, 2012 Share Posted September 9, 2012 On a side note, is there any actual difference other then the obvious one? Yes. They will only do what they're told when it's requested, for example; when a user is online. If, however, a user is not online, making requests (clicking links) it will not run - although you can workaround that, with a little math. Here's a few links: time() - Return current time glob() - Used to include all cron files, in my method Some basic PHP knowledge & of course, you need to know some math Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted September 10, 2012 Share Posted September 10, 2012 On a side note, is there any actual difference other then the obvious one? Yes. They will only do what they're told when it's requested, for example; when a user is online. If, however, a user is not online, making requests (clicking links) it will not run - although you can workaround that, with a little math. Here's a few links: time() - Return current time glob() - Used to include all cron files, in my method Some basic PHP knowledge & of course, you need to know some math Never do such a thing please. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted September 10, 2012 Share Posted September 10, 2012 Why shouldn't you do that HD? Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted September 10, 2012 Share Posted September 10, 2012 What if i found a loophole (which is quite common on mccode even the patched ones), that allowed me to upload a file? Now his cron system would automatically run my file, correct? Now, imagine the possibilities allowed to run through that file? Obviously, if thought through, this can work, with white listing that is. But don't simply tell another person to use glob() to include all the file's, that's just... bad. What I've found that works is something along these lines: CREATE TABLE `crons` ( `cron_name` varchar(50) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', `cron_last_run` int(11) NOT NULL, `cron_code` varchar(30) COLLATE utf8_unicode_ci NOT NULL DEFAULT '', `cron_minus` int(10) unsigned NOT NULL, `cron_enabled` tinyint(1) unsigned NOT NULL DEFAULT '1', KEY `cron_name` (`cron_name`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci; Example Row: { "data": [ { "cron_name": "1 Minute", "cron_last_run": 1347245661, "cron_code": "one_minute", "cron_minus": 60, "cron_enabled": 1 } ] } PHP File to run timestamp: <?php # Do your database includes & setup here include_once('class/cron.php'); $cron = new Cron; $crons = mysql_query('SELECT * FROM `crons` WHERE `cron_enabled` = 1'); $executed = array(); while($soc = mysql_fetch_assoc($crons)) { if((time() - $soc['cron_minus']) > $soc['cron_last_run']) { $multiply = ((time() - $soc['cron_minus']) - $soc['cron_last_run']) / $soc['cron_minus']; $multiply = floor($multiply); $multiply = ($multiply) ? $multiply : 1; eval('$return = $cron->'.$item['cron_code'].'('.$multiply.');'); if($return) $executed[] = $item['cron_code']; } } if(!empty($executed)) { mysql_query('UPDATE `crons` SET `cron_last_run` = '.time().' WHERE `cron_code` IN("'.implode('","', $executed).'")'); } ?> Then your class as such: Class Cron { public function one_minute($multiply = 1) { # Example Query: # mysql_query('UPDATE `users` SET `energy` = (`energy` + '.(5 * $multiply).') WHERE `energy` > 0'); return true; } } * UNTESTED AND WILL NEED WORK TO MAKE IT WORK. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted September 10, 2012 Share Posted September 10, 2012 Well if a player is able to upload a PHP file, you are anyhow f*@! as you could still use remote cron system which would call this file periodically. So for me the security is not different. Sorry. The first thing to do is to patch any vulnerability which would allow a player to send custom code. 1 Quote Link to comment Share on other sites More sharing options...
Dave Posted September 10, 2012 Share Posted September 10, 2012 HD you're making no sense, if a user is able to upload a PHP script to the website they could easily just run it manually and not even need the cron to run it. Using glob wouldn't be a security issue, somehow allowing users access to file uploads is. 1 Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted September 10, 2012 Share Posted September 10, 2012 HD you're making no sense, if a user is able to upload a PHP script to the website they could easily just run it manually and not even need the cron to run it. Using glob wouldn't be a security issue, somehow allowing users access to file uploads is. Think outside the box. I could manually run that script, which on each run will let's say for example give me $1,000,000 or i could let the cron run every minute and do it for me. I could allow that script to upload a backdoor every minute to a different file each time. I could create that script to add one line of php to each of your pages each time it runs to auto download malware onto your pc. Or better yet, why don't i just create a simple script, that add's a simple line of php to every php page on your system, and every load to that page, will send me the user's cookie data. The options are endless, not just the fact that the website owner has left an open vulnerability on the site. But let's move on. Ok, i find a hole that i can upload my malicious script. I have to then run it manually. What happens? It gets logged into the access-logs, if it's included on the other hand, there is no log of my IP hitting that script. Now, you say "File uploads" are insecure. While i agree with you on that, but pulling an image from a source is also insecure. Let's say for example, the very well known exploit on WordPress (Timthumb) Timthumb get's hit with a url as such: http://url.com/wp-content/../../timthumb.php?url=.......&x=360&y=400 What if the url landed on a php script, that looks to be an image: GIF89a�����ÿÿÿ!ù����,�������D�;�<?php ...malicious script to follow here... Follow Murphys Law "Anything that can go wrong, will go wrong". Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted September 10, 2012 Share Posted September 10, 2012 You don't need to run them manually, you can use remote-cron systems, proxy and much more. As soon as you find a way to upload some custom made PHP file, you can basically do all what you want. No need to be executed by cron or not. Well the image upload can be handled in different ways: - If you don't allow code execution (PHP or any other) on the image uploaded directory I hardly see how you could be vulnerable - If you load the image from another script and serves it only as content as the image upload is not directly visible, then again I hardly see the vulnerability. Overall, your cron statement is for me a non sense. If you can upload a script you are vulnerable. No need to be run by cron or not. And actually running by cron changes nothing. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 10, 2012 Share Posted September 10, 2012 A way to protect against malicious code in images - so I've read - is to output them using GD. Anyway, that's off topic. @HD - Some good points raised, however, have you found a backdoor to upload a file to the server? I understand to take Murphys Law into consideration. (May be a dumb moment) - Also, this isn't a war starter question. :) Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted September 10, 2012 Share Posted September 10, 2012 @HD - Some good points raised, however, have you found a backdoor to upload a file to the server? I understand to take Murphys Law into consideration. (May be a dumb moment) - Also, this isn't a war starter question. :) To answer your question directly. No, not on the current release of MCCode's. However, many many people just upload already made script's from here, which do entail the vulnerability to do such exploit, or any other exploit for that matter. "What can go wrong, will go wrong." "Assume" => Making an "ass" out of "u" & "me". So, never assume you are secure, for that day come's that you are attacked, you'll feel like an ass. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 10, 2012 Share Posted September 10, 2012 To answer your question directly. No, not on the current release of MCCode's. However, many many people just upload already made script's from here, which do entail the vulnerability to do such exploit, or any other exploit for that matter. "What can go wrong, will go wrong." "Assume" => Making an "ass" out of "u" & "me". So, never assume you are secure, for that day come's that you are attacked, you'll feel like an ass. Yeah! I remember watching a film - forgot the title - and it's main line was "Assuming is the mother of all f*ck ups". (Perhaps DJK will know the film :p They were on a train) Quote Link to comment Share on other sites More sharing options...
Djkanna Posted September 10, 2012 Share Posted September 10, 2012 (Perhaps DJK will know the film :p They were on a train) I do actually, however I do not wish to say, for fear of being called names. :p Okay you win: Under Siege 2 (not as good as number 1, but pretty solid Seagal film, if there is one) - You could just google the quote you know? Quote Link to comment Share on other sites More sharing options...
sniko Posted September 10, 2012 Share Posted September 10, 2012 I do actually, however I do not wish to say, for fear of being called names. :p Okay you win: Under Siege 2 (not as good as number 1, but pretty solid Seagal film, if there is one) - You could just google the quote you know? You never fail to amaze! haha, I know, but DJK's brain is better than the internet for searching movie quotes ;) Quote Link to comment Share on other sites More sharing options...
Djkanna Posted September 10, 2012 Share Posted September 10, 2012 You never fail to amaze! haha, I know, but DJK's brain is better than the internet for searching movie quotes ;) Only certain movies, ala ones I've watched. >_< Anyway off topic now, so I'll be leaving. :P Quote Link to comment Share on other sites More sharing options...
Spudinski Posted September 10, 2012 Share Posted September 10, 2012 A way to protect against malicious code in images - so I've read - is to output them using GD. Anyway, that's off topic. I will kill you, that's not even remotely close to the correct method. It's been discussed on this forum already, the best way to validate any file is though it's mime type. And to those debating about crons.. If your application needs crontabs to be able to function, you're doing it wrong. Timers should be treated as a luxury in any piece of software. Quote Link to comment Share on other sites More sharing options...
sniko Posted September 10, 2012 Share Posted September 10, 2012 I will kill you, that's not even remotely close to the correct method. It's been discussed on this forum already, the best way to validate any file is though it's mime type. My last words - before you kill me - I read it somewhere :p Quote Link to comment Share on other sites More sharing options...
Spudinski Posted September 10, 2012 Share Posted September 10, 2012 My last words - before you kill me - I read it somewhere :p Silence... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.