PHP Multiplayer Online Browser Fantasy RPG

[DanShadow]

Nice exploit .

I'll get working on that one asap, lol.

[DanShadow]

There we go, after about an hour or so of re-coding, that exploit should be fixed, haha.

Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them).

Thanks a ton for bringing this exploit to my attention

As for the item, you can keep it . I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items.
I'd be super impressed/scared if somebody was able to hack&access that file though

[DanShadow]

Oh btw, Zren & Drahcir..
I gave you guys a "fun" gift, its in your inventory.

Enjoy, haha

[Drahcir]

DanShadow @ Tue Sep 21, 2010 5:50 am wrote:

There we go, after about an hour or so of re-coding, that exploit should be fixed, haha.

Now anytime somebody changes their "user" cookie and tries to access the game, it will simply log them out and delete the cookie (unless the game authenticates them).

Thanks a ton for bringing this exploit to my attention

As for the item, you can keep it . I gave myself another one with a PHP file I made, which allows me to load player files, and give them gold or items.
I'd be super impressed/scared if somebody was able to hack&access that file though

You mean the one at http://www.danshadow.pcriot.com/admin.php ?

[Dan]

After looking at this for a few minutes, i have found a few masive seucrity holes. I don't have time to go through it in depth but as a simple proof of concecpt i was able to dump my carachters file on your server to my broswer:

code:

fcs89jsz0m1j1d2p28d3 100 1 0 0 40 14 1 4 0 26 27 0 0 21 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 new user town 0 0 0 0

and move that file into the root web directory on the server rather then in ./Chars


If i get time i can look through it a bit more thoroughly.


Update:

I found an XSS hole in the chat box that lets me inject any javascript i like, right now i set it to just was "Dan was here" but i could easly modify it to do evil things. It also loads the javascript payload from another site so it can be change when ever the attacker wants.

Sorry that i messed your site up a bit, but hopfully it will help you make it more secure.

[saltpro15]

can't access this on the school computers, possibly because it contains folklore? This FortiGuard program the school board has is hilarious

[DanShadow]

Wow..
I know the security hole when it comes to server permissions for newly created accounts, which can allow a user to view their own account if they know the public_html/ structure.. but what you've done has gone beyond what I know how to prevent.

If you have some time to explain to me how you (a) discovered the root structure, (b) were able to move files that only "user" permissions were granted to do so, (c) modify data of files whose permissions were read/write for "user" only..

I would be in your debt.. because I am clueless to how you did that O_O

As for the script injections into the chat, I should be able to prevent that by parsing user input first and checking for strings like "<script>" or "<?php", and when finding it preventing the chat submission (hopefully).

I only got to take 1 course in PHP in college, (because the 3rd year program focus for web-design was primarily ASP.NET based, which I wasnt too pleased with) so I know very little when it comes to web-site security. Kind of learning as I go along.

So yeah, if you ever have time to explain a bit of what you were able to do, I'd really appreciate it!!

Don't worry about messing up the site, working on major security flaws is more important to me than resetting a couple files and modifying a data file

Update: I did a quick-fix on the chat, so it wont accept the characters "<" or ">" in any chat posting.. which should stop code injections (I hope), heh.
I also changed the permissions on the "public_html/" directory, which will hopefully stop people from "read"ing it's contents.

[DanShadow]

Yup Drahcir, thats the one. (*conveniently changes filename*)

Sorry to hear that saltpro15 . School web-page permissions can suck... but there's always home or a public library

[Dan]

First of all don't try to implment your own HTML escaping, leave that to a libbary or API that has been devloped for the task. I am sure PHP must have one somewhere.

Secondly, it's not just the chat you should worry about, but any possible place where user entered text is displayed on the site (including user names).


As for charcter file storage, if you must use files (realy you should be using a DBMS like mysql) put them in a place that is not web accessable if possible.

Also there is a problem with how you create the user file, since you basicly just create/save the file to "/Chars/username.chr" I can make my user name somthing like "../dan" and the path becomes "/Chars/../dan.chr" which is equlivent to "/dan.chr" moving it a directory downword. You will need to escape user names for both HTML and charcters that could effect the path (such as "../", "./", "/", ect).

Another issue with the username is you only limit it to 15 charcters in the html form, i can easly modify the html using firebug to let me make a masive username that could break things.

[DanShadow]

Ahh, thank you!

Yeah, the file-based storage was mainly for ease of access (before I made a page that could control player data) and laziness. I'll have to switch to a DB soon.

The rest should be relatively easy for me to fix, just have to parse any text input submitted by a user before doing anything with it.

Thanks a lot Dan, this should help me protect against the potential for quite a few attacks in the future!

[Dan]

I should also point out that being able to view some users .chr files maybe a bigger issue then you may think. If i can access there hash i can use it to login as them the way you have things set up by embdeing that hash in the html form and editing the cookie to there username.

Addtionaly it is possible to put items on the acution house for more then 9999 gold.

[Drahcir]

Security by obscurity is not a good way to do things. It's sort of like leaving your house key under the front mat. If a thief looks around hard enough, he'll find the keys eventually. Although it is certainly is a learning opportunity for you to make this game, I would advise you from making the game public unless you rewrote the whole thing from the bottom-up.

A long while back, I had the same idea as you; to make a mmorpg browser game written by myself. But the more I worked on it, the more I realized how inefficient I was. Patching small bugs and exploits is the same as patching a broken window with scotch tape. It may look like you've fixed it, but it's really ugly, and you should not be doing it that way until you've learned proper programming design patterns.

I beseech you, try using a PHP framework with MySQL tables. I don't know if there are any good PHP frameworks solely for making games, but there are certainly many good frameworks for making sites that you can modify into a game system. CodeIgniter is very good for making sites with. I'm sure you can somehow incorporate an element of game design into it.

Once you've used a framework, you'll look back at your old code and you'll realize how bad it really is. Because if you look at all the exploits that have been found, it means something is seriously wrong with how you're designing the game. If an engineer built a bridge and parts of it started breaking and he replaced the broken parts with quick-dry cement, would you continue using the bridge?

I'm not telling you to be perfect and make a game that's totally free of bugs, because that's impossible. If you look at the thread, this is basically what's happening:

Hey guys, I built a house, come look at it!
Oh that's a cool house. But why is the roof leaking? // shop bug
Oh, missed that. I guess I'll fix it by stuffing the roof full of styrofoam until water stops leaking through.
Why is the house tilting? // cookie bug, which should really be fixed by using sessions instead of cookies
Oh, I guess I missed that too. I'll fix it by getting some two-by-fours and sticking them on the side of the wall.
I notice you have a piece of glass for a door. Won't that break pretty easily? // Dan's bug
That's all I got to make a door with.

Your "house" ends up looking pretty bad, no matter how new it is.

Your game is a good start, but look into using a framework + mysql. Although using a framework seems daunting at first, you'll realize how quickly you can roll out new content to your game once you've learned how to use one. You'll spend less time writing code and more time designing and adding new content to your game. Your old code is probably going to end up in vain, but it's a fairly good experience for you, so it's not all a waste. Most frameworks advertise how they can allow you to make a blog in 10 minutes or something ridiculous like that.

I guess I sound a little harsh, and I apologize. This will probably be my last reply to your game unless you're going to rewrite it fresh using better design.

[DanShadow]

K, i've added a check on the create user page so that it will check to ensure user and password lengths are proper, and both only contain numbers/letters.
Hopefully that should get rid of a couple issues.

Are you able to view other character files other than those recently created?
Right now, I check it daily and change permissions for all Character files to Read/Write - User only. (Which wont be necessary once I switch over to a DB data storage).
So all Character files should only have read/write permissions for "user" only, which shouldn't allow anyone to simply type out the URL ./Chars/username.chr to view old character files through their browser.

Thanks for the tip on the auction house, ill have to make another if check there to verify max sell price.

[DanShadow]

Added another "patch" for the market, heh.

Thank you Drahcir - you are right. This is (for the most part) a learning experience for me. If it wasn't, I wouldnt have asked for people to test out the game, and help me discover flaws.
Building this game was a "learning-curve" prequel to another few projects I have in mind, one of which is a commission which i'm being offered a fair bit of money to make.

Several of these exploits/bugs/glitches I knew about prior to people pointing them out. Some I left on purpose (like the cookie session data) - simply to see what kinds of things might happen.

The file-based data system I made on purpose, because when I started re-learning PHP I didn't want to go back into SQL programming and DB design, so I took the easy way out and made everything file-based.
Yes, not the smartest idea, but it was quick, allowed for quick data alteration with little re-coding. Obviously hasn't worked so well for me, but there's another lesson: DB offers more than structured data storage, it offers a level of security that is uncompromising.

This particular game I don't intend to completely re-code (yet), because I feel there is still more to learn.

I am also observing player trends, and trying to learn how to design a more appealing game based on how much players actually play.

Again, thank you Drahcir for the help you've offered, and if this be your last reply to this game, you have my appreciation, and hopefully in later days you'll see something better.

[Zren]

So my actions were all planned out eh?

Use sprintf("Item: %+d Strength", statModifer), otherwise it looks like it randomly is + or - 999 HP.