TheMasterGeneral Posted April 16, 2015 Share Posted April 16, 2015 The problem I noticed with McCodes is it offers no default way to recover passwords. Sure you could have a staff panel and do it manually, but that really doesn't help when an actual user cannot log into their account. So, enter, Password Recovery! This should be pretty fool-proof. It makes the user input a few fields a true owner would only know. (Login name, User ID, registered email) and allows then to specify a password, then confirm a captcha. I believed this to be the best way, since most users will change their name in game at least once, which already makes one of the inputs hard to figure out. The email (in most games) would be hidden from public view, so only the owner (of the game, and account) will know that as well. Involves creating a single file, and editing a file. Righto, lets get started. pwform.php You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Save, upload. Open login.php Find: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Paste after: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Screenie: [ATTACH=CONFIG]1879[/ATTACH] Unintentional game advertising is unintentional. >_> Update: Security flaw fixed. Quote Link to comment Share on other sites More sharing options...
Jacko11208 Posted April 16, 2015 Share Posted April 16, 2015 (edited) Looks pretty solid I'll poke at it later :p, Completely up to you but why not add an event for the staff log that includes the ip of said user? Edited April 16, 2015 by Jacko11208 Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted April 16, 2015 Share Posted April 16, 2015 Looks pretty solid I'll poke at it later :p, Completely up to you but why not add an event for the staff log that includes the ip of said user? What would be the point? IPs change. Some ISPs offer dynamic IPs that change constantly or they can be mobile. Quote Link to comment Share on other sites More sharing options...
Jacko11208 Posted April 16, 2015 Share Posted April 16, 2015 What would be the point? IPs change. Some ISPs offer dynamic IPs that change constantly or they can be mobile. I know, I just thought it may be better to log something rather then nothing what would you suggest? Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted April 16, 2015 Share Posted April 16, 2015 I know, I just thought it may be better to log something rather then nothing what would you suggest? I wouldn't log anything into the staff log, it is not a staff feature. If anything I would create a new log for user actions Quote Link to comment Share on other sites More sharing options...
Jacko11208 Posted April 16, 2015 Share Posted April 16, 2015 Point taken, having a user log you would be able to log any possible abuse. Thanks for you're input. Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted April 16, 2015 Share Posted April 16, 2015 No problem. It can be used as something like a staff log that just logs notes, actions, etc about the user. Quote Link to comment Share on other sites More sharing options...
TheMasterGeneral Posted April 16, 2015 Author Share Posted April 16, 2015 [MENTION=70990]Jacko11208[/MENTION] told me of a security flaw that could be used to gain access to the owner account. This flaw consisted of a domain whois lookup, which would show the registered email (assuming the admin used the same email in the login-process.) Which would make it pretty much easy to gain access to the owner's account. To fix this, I setup an if command that tests for the inputted user id and if it equals to whatever numbers are in the array, it'll tell them "Invalid user." Since its an "in_array", all you have to do is edit the field to add whatever user ID's you want denied. You could easily set that to user_level, and have it list all the user_levels who aren't a member (NPCs, Admins, Secretaries, Assistants, etc..) Jack's doing some extra testing, will let you know in a bit if he discovers more flaws. Quote Link to comment Share on other sites More sharing options...
krballard94 Posted April 16, 2015 Share Posted April 16, 2015 I wouldn't do it this way at all personally, I'm not going into the code as I don't have McCodes. Also I think its just badly built. I'd create a new table e.g password_resets (email, token, timestamp) first of all. Next I'd let the use create a new row in that table by making them fill out a forgot password form - generally just an email field, maybe a captcha if you want. Do some validation on the email, and then I'd insert the email, a generated token and the timestamp for this. The user will receive an email with a link to the file with the query string for the token appended there and then allow them to change password. The timestamp is just an extra field, but I'd use it to make the token valid for around an hour. Just my two cents! Quote Link to comment Share on other sites More sharing options...
Truefalse Posted April 16, 2015 Share Posted April 16, 2015 (edited) This method to reset passwords has a potential serious security flaw. I could create a bash script to first send a GET request to instantiate the SESSIONS, then enumerate with POST requests 100s a second (multi-threaded process) until it finally goes through, as the captcha doesn't have enough complexity to it. I'd grab the user id from the users profile link. I'd social engineer the users email (or grab the email from a mass mail (I know 1 game that includes all emails in a mass email - i've notified the owners about 3 weeks ago, still no change)) I'd assume the user hasn't changed their login name as is still equal to their username I'd input a password of my control. Some code to show you how many times duplicate captcha will appear in a loop of 10000 iterations; You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. https://eval.in/314640 I'd consider doing what [MENTION=70715]krballard94[/MENTION] suggested Edited April 16, 2015 by Truefalse Quote Link to comment Share on other sites More sharing options...
Jacko11208 Posted April 16, 2015 Share Posted April 16, 2015 This method to reset passwords has a potential serious security flaw. I could create a bash script to first send a GET request to instantiate the SESSIONS, then enumerate with POST requests 100s a second (multi-threaded process) until it finally goes through, as the captcha doesn't have enough complexity to it. I'd grab the user id from the users profile link. I'd social engineer the users email (or grab the email from a mass mail (I know 1 game that includes all emails in a mass email - i've notified the owners about 3 weeks ago, still no change)) I'd assume the user hasn't changed their login name as is still equal to their username I'd input a password of my control. Some code to show you how many times duplicate captcha will appear in a loop of 10000 iterations; You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. https://eval.in/314640 So I'd have about 25% success rate for every 10k hits - which is in my favour, though a little aggressive. Considering worst case scenario, account takeover would take 1minute 40seconds on a multi-threaded process, hitting your site 100times a second (if your site doesn't fall over because of a DOS attack :cool:) I'd consider doing what [MENTION=70715]krballard94[/MENTION] suggested Would have to agree with Truefalse and krballard94, It could work but would pose a serious security risk that and seeing that it doesn't validate the email either as above brute forcing would be really easy. Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted April 16, 2015 Share Posted April 16, 2015 I wouldn't ask them to input a new password anyways. I would generate a password for them and yes send it as plain text to the email associated with their account. If someone happens to be able to access your email account you have bigger problems than someone getting into your game account. Or or I would do it as previously stated by using a token and emailing it to them and asking to change their password upon clicking the link. Or or another way is to set up security questions, and not security questions you would use from a bank site since those can be personal Quote Link to comment Share on other sites More sharing options...
TheMasterGeneral Posted April 17, 2015 Author Share Posted April 17, 2015 I'll have to end up figuring out the mail() php function. Seems it won't send at all from my POV. Could be an issue with the VPS I've got, I'll check with the host. Or or another way is to set up security questions, and not security questions you would use from a bank site since those can be personal That seems like the most promising though. Security question, then email a random password to the account. Quote Link to comment Share on other sites More sharing options...
peterisgb Posted April 30, 2021 Share Posted April 30, 2021 (edited) I've had to edit mine version of this for 2 reasons, I dont use the username login system and different version off mccodes. I also changed mine over to a security question setup. Players use their email address and answer to reset their passwords. I also removed the captcha as i didnt like it lol. You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Also with this you will need to create 2 new fields in users. squestion and sanswer. open preferences.php add these You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Edited April 30, 2021 by peterisgb removed stuff needed to work as my codes differ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.