----------------------------------- DanShadow Wed Sep 15, 2010 6:54 pm PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Hey all, I'm in the process of developing an online multiplayer fantasy RPG called Realm of Darkness! Development is going pretty good so far, but i'd love some feedback, suggestions, and testers :) The game is currently hosted at: http://www.danshadow.pcriot.com/ Thanks!! ----------------------------------- Drahcir Thu Sep 16, 2010 2:20 am Re: PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Perhaps you should make a check so that it won't let me buy a certain item with id 47 for 1 gold in the shop by merely changing the html code. Escaping quotes was a good idea. Good job on that one. The layout uses too many tables. Although using tables to arrange data isn't incorrect, nesting tables within tables just seems wrong, and wastes the user's bandwidth. I'm guessing you're either generating the tables, or hard-coding them in the php files. Try making template files and outputting variables to your template. Google Model-view-controller architecture for more information about that. And frames are really ugly. Honestly. If you need to use frames, then there's something wrong with the way you're programming it. ----------------------------------- DanShadow Thu Sep 16, 2010 3:08 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Hmm, the game's first exploit :). Thanks, when I was exploit-proofing the pages, I forgot that I set the price of a couple items to 1 gold because they weren't attainable in game. I agree I do use too many tables.. but that's something I probably wont work on.. yet. Frames are ugly.. but I used them for a (temporary) reason. The top "title" frame acts as an access log that logs when somebody accesses the web-site, and logs their IP address. The bottom "chat" frame is a poorly coded PHP file-based chat with a HTTP refresher built in. I'm working on a Java Applet to replace it atm, and i'll likely get rid of the frames once im finished with it. Thanks for the input, and pointing me in the direction of that exploit - much appreciated. ----------------------------------- DanShadow Thu Sep 16, 2010 5:29 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Btw, anybody interested in playing/testing this game should check out the Facebook page (http://www.facebook.com/pages/Realm-of-Darkness-MOG/158181007526032) for in-game promotional items! ----------------------------------- Drahcir Thu Sep 16, 2010 8:26 am Re: PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- I understand that the reason you made frames was because it was the only solution that you can think of, but I don't think it works very well. Why can't you have the access log on every content page, and thereby removing the top frame? I wouldn't suggest making the chat with java. You should probably make it using AJAX, because it'll seem more like it's "part of the page" and not a third party widget. From all the other sites that used java chats, none of them made it work well. The only web chats that I've seen work well are the ones made from javascript. Boohoo, I don't get to keep my hard-earned +99 damage exploit sword? :( ----------------------------------- Zren Thu Sep 16, 2010 10:52 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Bug: Can't equip weapon when your carrying a shield. You haft'a un-equip and re-equip after you equip ze weapon of le choice. ----------------------------------- Insectoid Thu Sep 16, 2010 12:07 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Are you supposed to be able to 1-shot imps on your first fight ever? I logged in, hit attack, and it died. ----------------------------------- DanShadow Thu Sep 16, 2010 8:21 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page. You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe. Thanks Zren for letting me know about that bug. It's supposed to be a feature so that you can't equip a bow and a shield at the same time, but the logic behind the if check seems to be flawed somewhere.. i'll look into it. Yup Insectoid, the lowest monster in the game will (generally) always be able to be crushed with a single blow. If you removed your equipment, might be a different story though ;) Thanks again for the help guys! ----------------------------------- Drahcir Sat Sep 18, 2010 5:42 pm Re: PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Hmm, going back to my exploit bug, I don't think you really solved the problem. It's not that the problem is the unobtainable item is too cheap. It's the fact that I can buy ANY item in the game just by changing the ID of the shop in HTML. Here, let me show you what I did Ragged Archer Chaps has item ID of 39 Now if I go into firebug and change it to 49 I can buy a different item http://img15.imageshack.us/i/exploit1y.jpg/ http://img201.imageshack.us/i/exploit2.jpg/ And now I have a vagabond choker, whatever that is. Don't rely on the user validate your input. Just because it's not an input box doesn't mean it can't be changed. Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page. You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe. I wouldn't say they were hard earned stats. Before with unlimited energy, I wrote a greasemonkey script in about 5 minutes to automate the fighting process. That's how I got so high level so quickly. Now with limited energy, I run the script and my day is over in 30 seconds. ----------------------------------- DanShadow Sat Sep 18, 2010 9:55 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Ahh yes, makes sense. Pretty easy fix, just gotta do an if check on the "buy item" page state and cross-reference it with the shops item list to ensure the shop actually sells the item. I'll fix that up soon, thanks again :). UPDATE: Just fixed the shops, so now you cant modify HTML forms to buy any item, only items that the shop is programmed to sell :). As for the implementation of energy, in the next upgrade I make to the game there will be a few more uses for energy, like focused stat training, and travelling through a 2D (likely text-based) map, which will be the focus of the game after the first 10 levels. Rather than going into an arena to fight enemies, you'll have to travel and find new enemies, new shops, etc. Also you'll be able to fight players in the world as well, which will have some kind of reward (like an honor system). UPDATE: Just added 'The World' expansion. ----------------------------------- DanShadow Mon Sep 20, 2010 1:19 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Just did an account security upgrade. If anyone has any issues, let me know! ----------------------------------- Zren Mon Sep 20, 2010 7:00 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Bug: You can URL hack yourself to the arena.php even if your not in town. Bug: If you have an item for sale, You can change the value of marketItem to x of another item on the market, then click retrieve item and you'll get that item for free. I pulled the top 2 items off the list. Be happy I didn't touch your eternal sword of ultimate wrath that causes the doomsday of far far away land. Tip: Try separating the chat box and the chat submit, otherwise any text entered when the 30sec are up is gone and the person has to retype. All in all, I support AJAXy goodness. ----------------------------------- DanShadow Mon Sep 20, 2010 7:20 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Thanks Zren, i'll look into those later on tonight. ----------------------------------- DanShadow Mon Sep 20, 2010 10:33 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Thanks a lot Zren, those suggestions have helped me fix a few big issues :). URL Hacking should redirect you back to the main page. Modifying form data on the market to retrieve items that aren't yours should now give an error message. The chatbox is now seperate from the chat message submit form, so now nobody gets cut off when typing messages. ----------------------------------- Zren Tue Sep 21, 2010 4:30 am Re: PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Alright! Now for today's exploit. xD Bug: Once you've logged in as any registered user, the only thing regestering which user is logged in is a client side cookie. And in this cookie, you ONLY store the username. So, say if I changed that username after loggin in to say, DanShadow? My, my, my. I totally just stole your Vagabond necklace for 1g. Today's exploit was brought to you by: Tamper Data, a firefox addon! Step by step what I did: Logged in. Went to town. Opened Tamper Data. Started "Tampering". Clicked Character Sheet. Popup asking if I want to tamper, click Tamper. Looked at Cookie input: User=Shade, changed to User=DanShadow. Submited that. Behold, I'm looking at your character sheet. Basically from there, I repeated the process to Unequip the necklace, go to marketplace, new item for auction, put up necklace for 1g. Then I stopped tampering and returned to being me, and bought the necklace. Alternately, I guess you could go into the browser cache and change the cookie permanently for this session. Now try and get it back without rolling back the server or editing the database. :P By the way, you had me checking most of your forms to make sure tampering the HTML wouldn't work. Congrats, you won that round. ----------------------------------- DanShadow Tue Sep 21, 2010 4:54 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Nice exploit ;). I'll get working on that one asap, lol. ----------------------------------- DanShadow Tue Sep 21, 2010 5:50 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- There we go, after about an hour or so of re-coding, that exploit should be fixed, haha. Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them). Thanks a ton for bringing this exploit to my attention :D As for the item, you can keep it :P. I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items. I'd be super impressed/scared if somebody was able to hack&access that file though :shock: ----------------------------------- DanShadow Tue Sep 21, 2010 8:31 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Oh btw, Zren & Drahcir.. I gave you guys a "fun" gift, its in your inventory. Enjoy, haha ----------------------------------- Drahcir Tue Sep 21, 2010 10:16 am Re: RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- There we go, after about an hour or so of re-coding, that exploit should be fixed, haha. Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them). Thanks a ton for bringing this exploit to my attention :D As for the item, you can keep it :P. I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items. I'd be super impressed/scared if somebody was able to hack&access that file though :shock: You mean the one at http://www.danshadow.pcriot.com/admin.php ? ----------------------------------- Dan Tue Sep 21, 2010 11:53 am RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- After looking at this for a few minutes, i have found a few masive seucrity holes. I don't have time to go through it in depth but as a simple proof of concecpt i was able to dump my carachters file on your server to my broswer: [code] fcs89jsz0m1j1d2p28d3 100 1 0 0 40 14 1 4 0 26 27 0 0 21 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 new user town 0 0 0 0 [/code] and move that file into the root web directory on the server rather then in ./Chars If i get time i can look through it a bit more thoroughly. Update: I found an XSS hole in the chat box that lets me inject any javascript i like, right now i set it to just was "Dan was here" but i could easly modify it to do evil things. It also loads the javascript payload from another site so it can be change when ever the attacker wants. Sorry that i messed your site up a bit, but hopfully it will help you make it more secure. ----------------------------------- saltpro15 Tue Sep 21, 2010 12:02 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- can't access this on the school computers, possibly because it contains folklore? This FortiGuard program the school board has is hilarious ----------------------------------- DanShadow Tue Sep 21, 2010 2:50 pm RE:PHP Multiplayer Online Browser Fantasy RPG ----------------------------------- Wow.. I know the security hole when it comes to server permissions for newly created accounts, which can allow a user to view their own account if they know the public_html/ structure.. but what you've done has gone beyond what I know how to prevent. If you have some time to explain to me how you (a) discovered the root structure, (b) were able to move files that only "user" permissions were granted to do so, (c) modify data of files whose permissions were read/write for "user" only.. I would be in your debt.. because I am clueless to how you did that O_O As for the script injections into the chat, I should be able to prevent that by parsing user input first and checking for strings like "" or "