Computer Science Canada

PHP Multiplayer Online Browser Fantasy RPG

Author:  DanShadow [ Wed Sep 15, 2010 6:54 pm ]
Post subject:  PHP Multiplayer Online Browser Fantasy RPG

Hey all,

I'm in the process of developing an online multiplayer fantasy RPG called Realm of Darkness!

Development is going pretty good so far, but i'd love some feedback, suggestions, and testers Smile

The game is currently hosted at: http://www.danshadow.pcriot.com/

Thanks!!

Author:  Drahcir [ Thu Sep 16, 2010 2:20 am ]
Post subject:  Re: PHP Multiplayer Online Browser Fantasy RPG

Perhaps you should make a check so that it won't let me buy a certain item with id 47 for 1 gold in the shop by merely changing the html code.
Escaping quotes was a good idea. Good job on that one.
The layout uses too many tables. Although using tables to arrange data isn't incorrect, nesting tables within tables just seems wrong, and wastes the user's bandwidth. I'm guessing you're either generating the tables, or hard-coding them in the php files. Try making template files and outputting variables to your template. Google Model-view-controller architecture for more information about that.

And frames are really ugly. Honestly. If you need to use frames, then there's something wrong with the way you're programming it.

Author:  DanShadow [ Thu Sep 16, 2010 3:08 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Hmm, the game's first exploit Smile.
Thanks, when I was exploit-proofing the pages, I forgot that I set the price of a couple items to 1 gold because they weren't attainable in game.

I agree I do use too many tables.. but that's something I probably wont work on.. yet.

Frames are ugly.. but I used them for a (temporary) reason. The top "title" frame acts as an access log that logs when somebody accesses the web-site, and logs their IP address.
The bottom "chat" frame is a poorly coded PHP file-based chat with a HTTP refresher built in. I'm working on a Java Applet to replace it atm, and i'll likely get rid of the frames once im finished with it.

Thanks for the input, and pointing me in the direction of that exploit - much appreciated.

Author:  DanShadow [ Thu Sep 16, 2010 5:29 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Btw, anybody interested in playing/testing this game should check out the Facebook page (http://www.facebook.com/pages/Realm-of-Darkness-MOG/158181007526032) for in-game promotional items!

Author:  Drahcir [ Thu Sep 16, 2010 8:26 am ]
Post subject:  Re: PHP Multiplayer Online Browser Fantasy RPG

I understand that the reason you made frames was because it was the only solution that you can think of, but I don't think it works very well. Why can't you have the access log on every content page, and thereby removing the top frame?
I wouldn't suggest making the chat with java. You should probably make it using AJAX, because it'll seem more like it's "part of the page" and not a third party widget. From all the other sites that used java chats, none of them made it work well. The only web chats that I've seen work well are the ones made from javascript.

Boohoo, I don't get to keep my hard-earned +99 damage exploit sword? Sad

Author:  Zren [ Thu Sep 16, 2010 10:52 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Bug: Can't equip weapon when your carrying a shield. You haft'a un-equip and re-equip after you equip ze weapon of le choice.

Author:  Insectoid [ Thu Sep 16, 2010 12:07 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Are you supposed to be able to 1-shot imps on your first fight ever? I logged in, hit attack, and it died.

Author:  DanShadow [ Thu Sep 16, 2010 8:21 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page.
You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe.

Thanks Zren for letting me know about that bug. It's supposed to be a feature so that you can't equip a bow and a shield at the same time, but the logic behind the if check seems to be flawed somewhere.. i'll look into it.

Yup Insectoid, the lowest monster in the game will (generally) always be able to be crushed with a single blow. If you removed your equipment, might be a different story though Wink

Thanks again for the help guys!

Author:  Drahcir [ Sat Sep 18, 2010 5:42 pm ]
Post subject:  Re: PHP Multiplayer Online Browser Fantasy RPG

Hmm, going back to my exploit bug, I don't think you really solved the problem. It's not that the problem is the unobtainable item is too cheap. It's the fact that I can buy ANY item in the game just by changing the ID of the shop in HTML. Here, let me show you what I did

Ragged Archer Chaps has item ID of 39
Now if I go into firebug and change it to 49 I can buy a different item

http://img15.imageshack.us/i/exploit1y.jpg/
http://img201.imageshack.us/i/exploit2.jpg/

And now I have a vagabond choker, whatever that is.

Don't rely on the user validate your input. Just because it's not an input box doesn't mean it can't be changed.

DanShadow @ Thu Sep 16, 2010 8:21 pm wrote:
Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page.
You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe.

I wouldn't say they were hard earned stats. Before with unlimited energy, I wrote a greasemonkey script in about 5 minutes to automate the fighting process. That's how I got so high level so quickly. Now with limited energy, I run the script and my day is over in 30 seconds.

Author:  DanShadow [ Sat Sep 18, 2010 9:55 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Ahh yes, makes sense.
Pretty easy fix, just gotta do an if check on the "buy item" page state and cross-reference it with the shops item list to ensure the shop actually sells the item. I'll fix that up soon, thanks again Smile.

UPDATE: Just fixed the shops, so now you cant modify HTML forms to buy any item, only items that the shop is programmed to sell Smile.

As for the implementation of energy, in the next upgrade I make to the game there will be a few more uses for energy, like focused stat training, and travelling through a 2D (likely text-based) map, which will be the focus of the game after the first 10 levels.
Rather than going into an arena to fight enemies, you'll have to travel and find new enemies, new shops, etc. Also you'll be able to fight players in the world as well, which will have some kind of reward (like an honor system).

UPDATE: Just added 'The World' expansion.

Author:  DanShadow [ Mon Sep 20, 2010 1:19 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Just did an account security upgrade.
If anyone has any issues, let me know!

Author:  Zren [ Mon Sep 20, 2010 7:00 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Bug: You can URL hack yourself to the arena.php even if your not in town.

Bug: If you have an item for sale, You can change the value of marketItem to x of another item on the market, then click retrieve item and you'll get that item for free. I pulled the top 2 items off the list. Be happy I didn't touch your eternal sword of ultimate wrath that causes the doomsday of far far away land.

Tip: Try separating the chat box and the chat submit, otherwise any text entered when the 30sec are up is gone and the person has to retype. All in all, I support AJAXy goodness.

Author:  DanShadow [ Mon Sep 20, 2010 7:20 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Thanks Zren, i'll look into those later on tonight.

Author:  DanShadow [ Mon Sep 20, 2010 10:33 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Thanks a lot Zren, those suggestions have helped me fix a few big issues Smile.

URL Hacking should redirect you back to the main page.
Modifying form data on the market to retrieve items that aren't yours should now give an error message.
The chatbox is now seperate from the chat message submit form, so now nobody gets cut off when typing messages.

Author:  Zren [ Tue Sep 21, 2010 4:30 am ]
Post subject:  Re: PHP Multiplayer Online Browser Fantasy RPG

Alright! Now for today's exploit. xD

Bug: Once you've logged in as any registered user, the only thing regestering which user is logged in is a client side cookie. And in this cookie, you ONLY store the username. So, say if I changed that username after loggin in to say, DanShadow? My, my, my. I totally just stole your Vagabond necklace for 1g. Today's exploit was brought to you by: Tamper Data, a firefox addon!

Step by step what I did:
Logged in.
Went to town.
Opened Tamper Data. Started "Tampering".
Clicked Character Sheet. Popup asking if I want to tamper, click Tamper.
Looked at Cookie input: User=Shade, changed to User=DanShadow.
Submited that. Behold, I'm looking at your character sheet.

Basically from there, I repeated the process to Unequip the necklace, go to marketplace, new item for auction, put up necklace for 1g.
Then I stopped tampering and returned to being me, and bought the necklace. Alternately, I guess you could go into the browser cache and change the cookie permanently for this session. Now try and get it back without rolling back the server or editing the database. Razz

By the way, you had me checking most of your forms to make sure tampering the HTML wouldn't work. Congrats, you won that round.

Author:  DanShadow [ Tue Sep 21, 2010 4:54 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Nice exploit Wink.

I'll get working on that one asap, lol.

Author:  DanShadow [ Tue Sep 21, 2010 5:50 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

There we go, after about an hour or so of re-coding, that exploit should be fixed, haha.

Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them).

Thanks a ton for bringing this exploit to my attention Very Happy

As for the item, you can keep it Razz. I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items.
I'd be super impressed/scared if somebody was able to hack&access that file though Shocked

Author:  DanShadow [ Tue Sep 21, 2010 8:31 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Oh btw, Zren & Drahcir..
I gave you guys a "fun" gift, its in your inventory.

Enjoy, haha

Author:  Drahcir [ Tue Sep 21, 2010 10:16 am ]
Post subject:  Re: RE:PHP Multiplayer Online Browser Fantasy RPG

DanShadow @ Tue Sep 21, 2010 5:50 am wrote:
There we go, after about an hour or so of re-coding, that exploit should be fixed, haha.

Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them).

Thanks a ton for bringing this exploit to my attention Very Happy

As for the item, you can keep it Razz. I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items.
I'd be super impressed/scared if somebody was able to hack&access that file though Shocked

You mean the one at http://www.danshadow.pcriot.com/admin.php ?

Author:  Dan [ Tue Sep 21, 2010 11:53 am ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

After looking at this for a few minutes, i have found a few masive seucrity holes. I don't have time to go through it in depth but as a simple proof of concecpt i was able to dump my carachters file on your server to my broswer:

code:

fcs89jsz0m1j1d2p28d3
100
1
0
0
40
14
1
4
0
26
27
0
0
21
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
new user
town
0
0
0
0


and move that file into the root web directory on the server rather then in ./Chars


If i get time i can look through it a bit more thoroughly.


<b>Update:</b>

I found an XSS hole in the chat box that lets me inject any javascript i like, right now i set it to just was "Dan was here" but i could easly modify it to do evil things. It also loads the javascript payload from another site so it can be change when ever the attacker wants.

Sorry that i messed your site up a bit, but hopfully it will help you make it more secure.

Author:  saltpro15 [ Tue Sep 21, 2010 12:02 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

can't access this on the school computers, possibly because it contains folklore? This FortiGuard program the school board has is hilarious

Author:  DanShadow [ Tue Sep 21, 2010 2:50 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Wow..
I know the security hole when it comes to server permissions for newly created accounts, which can allow a user to view their own account if they know the public_html/ structure.. but what you've done has gone beyond what I know how to prevent.

If you have some time to explain to me how you (a) discovered the root structure, (b) were able to move files that only "user" permissions were granted to do so, (c) modify data of files whose permissions were read/write for "user" only..

I would be in your debt.. because I am clueless to how you did that O_O

As for the script injections into the chat, I should be able to prevent that by parsing user input first and checking for strings like "<script>" or "<?php", and when finding it preventing the chat submission (hopefully).

I only got to take 1 course in PHP in college, (because the 3rd year program focus for web-design was primarily ASP.NET based, which I wasnt too pleased with) so I know very little when it comes to web-site security. Kind of learning as I go along.

So yeah, if you ever have time to explain a bit of what you were able to do, I'd really appreciate it!!

Don't worry about messing up the site, working on major security flaws is more important to me than resetting a couple files and modifying a data file Razz

Update: I did a quick-fix on the chat, so it wont accept the characters "<" or ">" in any chat posting.. which should stop code injections (I hope), heh.
I also changed the permissions on the "public_html/" directory, which will hopefully stop people from "read"ing it's contents.

Author:  DanShadow [ Tue Sep 21, 2010 3:08 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Yup Drahcir, thats the one. (*conveniently changes filename*)

Sorry to hear that saltpro15 Sad. School web-page permissions can suck... but there's always home or a public library Wink

Author:  Dan [ Tue Sep 21, 2010 5:07 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

First of all don't try to implment your own HTML escaping, leave that to a libbary or API that has been devloped for the task. I am sure PHP must have one somewhere.

Secondly, it's not just the chat you should worry about, but any possible place where user entered text is displayed on the site (including user names).


As for charcter file storage, if you must use files (realy you should be using a DBMS like mysql) put them in a place that is not web accessable if possible.

Also there is a problem with how you create the user file, since you basicly just create/save the file to "/Chars/username.chr" I can make my user name somthing like "../dan" and the path becomes "/Chars/../dan.chr" which is equlivent to "/dan.chr" moving it a directory downword. You will need to escape user names for both HTML and charcters that could effect the path (such as "../", "./", "/", ect).

Another issue with the username is you only limit it to 15 charcters in the html form, i can easly modify the html using firebug to let me make a masive username that could break things.

Author:  DanShadow [ Tue Sep 21, 2010 5:22 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Ahh, thank you!

Yeah, the file-based storage was mainly for ease of access (before I made a page that could control player data) and laziness. I'll have to switch to a DB soon.

The rest should be relatively easy for me to fix, just have to parse any text input submitted by a user before doing anything with it.

Thanks a lot Dan, this should help me protect against the potential for quite a few attacks in the future!

Author:  Dan [ Tue Sep 21, 2010 6:00 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

I should also point out that being able to view some users .chr files maybe a bigger issue then you may think. If i can access there hash i can use it to login as them the way you have things set up by embdeing that hash in the html form and editing the cookie to there username.

Addtionaly it is possible to put items on the acution house for more then 9999 gold.

Author:  Drahcir [ Tue Sep 21, 2010 6:03 pm ]
Post subject:  Re: PHP Multiplayer Online Browser Fantasy RPG

Security by obscurity is not a good way to do things. It's sort of like leaving your house key under the front mat. If a thief looks around hard enough, he'll find the keys eventually. Although it is certainly is a learning opportunity for you to make this game, I would advise you from making the game public unless you rewrote the whole thing from the bottom-up.

A long while back, I had the same idea as you; to make a mmorpg browser game written by myself. But the more I worked on it, the more I realized how inefficient I was. Patching small bugs and exploits is the same as patching a broken window with scotch tape. It may look like you've fixed it, but it's really ugly, and you should not be doing it that way until you've learned proper programming design patterns.

I beseech you, try using a PHP framework with MySQL tables. I don't know if there are any good PHP frameworks solely for making games, but there are certainly many good frameworks for making sites that you can modify into a game system. CodeIgniter is very good for making sites with. I'm sure you can somehow incorporate an element of game design into it.

Once you've used a framework, you'll look back at your old code and you'll realize how bad it really is. Because if you look at all the exploits that have been found, it means something is seriously wrong with how you're designing the game. If an engineer built a bridge and parts of it started breaking and he replaced the broken parts with quick-dry cement, would you continue using the bridge?

I'm not telling you to be perfect and make a game that's totally free of bugs, because that's impossible. If you look at the thread, this is basically what's happening:

Hey guys, I built a house, come look at it!
Oh that's a cool house. But why is the roof leaking? // shop bug
Oh, missed that. I guess I'll fix it by stuffing the roof full of styrofoam until water stops leaking through.
Why is the house tilting? // cookie bug, which should really be fixed by using sessions instead of cookies
Oh, I guess I missed that too. I'll fix it by getting some two-by-fours and sticking them on the side of the wall.
I notice you have a piece of glass for a door. Won't that break pretty easily? // Dan's bug
That's all I got to make a door with.

Your "house" ends up looking pretty bad, no matter how new it is.

Your game is a good start, but look into using a framework + mysql. Although using a framework seems daunting at first, you'll realize how quickly you can roll out new content to your game once you've learned how to use one. You'll spend less time writing code and more time designing and adding new content to your game. Your old code is probably going to end up in vain, but it's a fairly good experience for you, so it's not all a waste. Most frameworks advertise how they can allow you to make a blog in 10 minutes or something ridiculous like that.

I guess I sound a little harsh, and I apologize. This will probably be my last reply to your game unless you're going to rewrite it fresh using better design.

Author:  DanShadow [ Tue Sep 21, 2010 6:14 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

K, i've added a check on the create user page so that it will check to ensure user and password lengths are proper, and both only contain numbers/letters.
Hopefully that should get rid of a couple issues.

Are you able to view other character files other than those recently created?
Right now, I check it daily and change permissions for all Character files to Read/Write - User only. (Which wont be necessary once I switch over to a DB data storage).
So all Character files should only have read/write permissions for "user" only, which shouldn't allow anyone to simply type out the URL ./Chars/username.chr to view old character files through their browser.

Thanks for the tip on the auction house, ill have to make another if check there to verify max sell price.

Author:  DanShadow [ Tue Sep 21, 2010 6:35 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Added another "patch" for the market, heh.

Thank you Drahcir - you are right. This is (for the most part) a learning experience for me. If it wasn't, I wouldnt have asked for people to test out the game, and help me discover flaws.
Building this game was a "learning-curve" prequel to another few projects I have in mind, one of which is a commission which i'm being offered a fair bit of money to make.

Several of these exploits/bugs/glitches I knew about prior to people pointing them out. Some I left on purpose (like the cookie session data) - simply to see what kinds of things might happen.

The file-based data system I made on purpose, because when I started re-learning PHP I didn't want to go back into SQL programming and DB design, so I took the easy way out and made everything file-based.
Yes, not the smartest idea, but it was quick, allowed for quick data alteration with little re-coding. Obviously hasn't worked so well for me, but there's another lesson: DB offers more than structured data storage, it offers a level of security that is uncompromising.

This particular game I don't intend to completely re-code (yet), because I feel there is still more to learn.

I am also observing player trends, and trying to learn how to design a more appealing game based on how much players actually play.

Again, thank you Drahcir for the help you've offered, and if this be your last reply to this game, you have my appreciation, and hopefully in later days you'll see something better.

Author:  Zren [ Tue Sep 21, 2010 7:28 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

So my actions were all planned out eh?

Use sprintf("Item: %+d Strength", statModifer), otherwise it looks like it randomly is + or - 999 HP.

Author:  DanShadow [ Tue Sep 21, 2010 7:37 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Btw, here is an example of an exploit I knew about/planted:
I added an unbelievably strong item to the market with the seller name "Dan", but no user named "Dan" existed, so creating that user would entitle them to that item Wink.

Now that i've said that, I had to create that character though, heh.

Author:  Zren [ Tue Sep 21, 2010 7:43 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Uhg, dammit. I knew there wasn't a character named Dan too when I did the cookie exploit. I should'a thought of that. >.<

Author:  DanShadow [ Tue Sep 21, 2010 7:56 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Hehe Wink.

At least you have your "highly useful" Hackers Seal of Pain

Author:  Dan [ Tue Sep 21, 2010 8:50 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

This makes a rather fun hacking game:

Posted Image, might have been reduced in size. Click Image to view fullscreen.

Author:  DanShadow [ Tue Sep 21, 2010 8:57 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Sneaky.. lol.

Author:  DanShadow [ Tue Sep 21, 2010 9:05 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

There, that should patch that up, lol.
I'm actually enjoying your "hacking", XD. Makes for quite the amusement

Author:  DanShadow [ Tue Sep 21, 2010 9:27 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Nice use of " & lt ". Blocked a few more characters now Wink

I'm curious to what you did with test2 & test3...

Both characters were recently created, but neither characters have a "map" starting position, nor equipment, nor the gold obtained from selling equipment, nor any equipment in marketplace.
Hopefully the "fluffy kitty" jokes didn't make you want to do something destructive Sad

Author:  Dan [ Tue Sep 21, 2010 10:15 pm ]
Post subject:  Re: RE:PHP Multiplayer Online Browser Fantasy RPG

DanShadow @ 21st September 2010, 9:27 pm wrote:

Both characters were recently created, but neither characters have a "map" starting position, nor equipment, nor the gold obtained from selling equipment, nor any equipment in marketplace.
Hopefully the "fluffy kitty" jokes didn't make you want to do something destructive Sad


Nothing destructive, i just wanted to see what happens if i created a caracter with out a class. Turns out they get no items and are put in nowhere land :p

It is possible to modifey the account creation fourm to put in some other class, but it does not help you at all, just messes up your account.

Author:  Dan [ Tue Sep 21, 2010 10:21 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

DanShadow, take a look at the market place, i made you sell your pants. LOLS

Posted Image, might have been reduced in size. Click Image to view fullscreen.


Will PM how i did it, as it is a rather large hole (allows access to any users account).

Update:

Posted Image, might have been reduced in size. Click Image to view fullscreen.

Who is the fluffy kitty now? :p


Update 2:

I obtained your password hash and cracked your hashing algorthim, i have your plain text password. You realy should be using MD5 or SHA1 at a minum rather then trying to make your own hashing algorthim.

See:
http://php.net/manual/en/function.md5.php
http://php.net/manual/en/function.sha1.php

PMing you your password as proof.

Author:  DanShadow [ Wed Sep 22, 2010 12:29 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

Haha, thank you. I have retrieved my pants btw.

Upon reconsidering my hashing algorithm, I definitely see how it could be easily cracked if somebody had access to 2+ accounts.

Thanks for the suggestion, i'll definitely have to implement that!

Author:  DanShadow [ Wed Sep 22, 2010 1:11 pm ]
Post subject:  RE:PHP Multiplayer Online Browser Fantasy RPG

There we go, implemented your suggestion.
Thanks, that's a realllly useful technique to know for the future!


: