DragonPrime - LoGD Resource Community
Welcome Guest
  • Good evening, Guest.
    Please log in, or register.
  • May 25, 2019, 09:06:45 PM
Home Forums News Downloads Login Register Advanced Search
* *
DragonPrime Menu
Login
 
 
Resource Pages
Search

  Show Posts
Pages: [1] 2 3 ... 15
1  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / Re: SQL injection bug in motd.php on: April 28, 2019, 02:22:44 PM
Yeah, sure, that's shorter and better =)
2  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / Re: SQL injection bug in motd.php on: April 27, 2019, 11:13:00 AM
It's pretty much the same, you'd need to rewrite the queries afterwards then or you have to concat the month+year together again.
Or you check if both are originally integer values, which would be more lines of code.

Pretty much the same I think, regex might be a bit quicker.

Any fix is good as long as it is fixed.
motd.php is accessible from outside the game, making it worse.
3  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / SQL injection bug in motd.php on: April 26, 2019, 10:10:10 AM
I got a rather interesting sql injection attack on my server, which is (as I just downloaded the bugfixed 2017 version) also present in lotgd core.

motd.php has the following code:

Code:
$m = httpget("month");
if ($m > ""){
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$m}-01' AND motddate <= '{$m}-31' ORDER BY motddate DESC";
$result = db_query_cached($sql,"motd-$m");
}else{
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor ORDER BY motddate DESC limit $newcount,".($newcount+$count);
if ($newcount=0) //cache only the last x items
$result = db_query_cached($sql,"motd");
else
$result = db_query($sql);
}

As you can see, $m is entered by httpget() and patched without escape right into the query.

Which leads to somebody actively trying to get the db connection (and therefore access to user data) producing this error:

Code:
fopen(/var/datacache/datacache_motd-cast2828SELECT20dblink-connect28chr28104297C7Cchr28111297C7Cchr28115297C7Cchr28116297C7Cchr2861297C7Cchr2854297C7Cchr28121297C7Cchr28112297C7Cchr28116297C7Cchr28115297C7Cchr2851297C7Cchr28107297C7Cchr28100297C7Cchr28115297C7Cchr28110297C7Cchr28110297C7Cchr2849297C7Cchr28108297C7Cchr28106297C7Cchr28100297C7Cchr28114297C7Cchr2899297C7Cchr28120297C7Cchr28120297C7Cchr28107297C7Cchr2899297C7Cchr28115297C7Cchr28117297C7Cchr28106297C7Cchr28101297C7Cchr2897297C7Cchr28103297C7Cchr28105297C7Cchr2898297C7Cchr28102297C7Cchr2897297C7Cchr28111297C7Cchr2853297C7Cchr28118297C7Cchr28102297C7Cchr2851297C7Cchr28109297C7Cchr28114297C7Cchr28107297C7Cchr28101297C7Cchr28106297C7Cchr2856297C7Cchr28107297C7Cchr2846297C7Cchr28114297C7Cchr2856297C7Cchr2855297C7Cchr2846297C7Cchr28109297C7Cchr28101297C7Cchr2832297C7Cchr28117297C7Cchr28115297C7Cchr28101297C7Cchr28114297C7Cchr2861297C7Cchr2897297C7Cchr2832297C7Cchr28112297C7Cchr2897297C7Cchr28115297C7Cchr2 8115297C7Cchr28119297C7Cchr28111297C7Cchr28114297C7Cchr28100297C7Cchr2861297C7Cchr2897297C7Cchr2832297C7Cchr2899297C7Cchr28111297C7Cchr28110297C7Cchr28110297C7Cchr28101297C7Cchr2899297C7Cchr28116297C7Cchr2895297C7Cchr28116297C7Cchr28105297C7Cchr28109297C7Cchr28101297C7Cchr28111297C7Cchr28117297C7Cchr28116297C7Cchr2861297C7Cchr285029292920as20numeric29): failed to open stream: File name too long in /var/www/html/naruto/lib/datacache.php (62)
Call Stack:
2: fopen("/var/datacache/...", "w") called from /var/lib/datacache.php on line 62
3: updatedatacache("motd-cast((SELECT dblink_...", Array()) called from /var/lib/dbwrapper_mysqli_proc.php on line 65
4: db_query_cached("SELECT motd.*,name AS mot...", "motd-cast((SELECT dblink_...") called from /var/motd.php on line 64

I used (I think this should work on your systems too) following git patch:

Code:
diff --git a/motd.php b/motd.php
index 48b2b6d..a034a2a 100644
--- a/motd.php
+++ b/motd.php
@@ -58,10 +58,16 @@ if ($op=="") {
        /*
        motditem("Beta!","Please see the beta message below.","","", "");
        */
-       $m = httpget("month");
-       if ($m > ""){
-               $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$m}-01' AND motddate <= '{$m}-31' ORDER BY motddate DESC";
-               $result = db_query_cached($sql,"motd-$m");
+       $month_post = httpget("month");
+       //SQL Injection attack possible -> kill it off after 7 letters as format is i.e. "2000-05"
+       $month_post = substr($month_post,0,7);
+       if (preg_match("/[0-9][0-9][0-9][0-9]-[0-9][0-9]/",$month_post)!==1) {
+               //hack attack
+               $month_post="";
+       }
+       if ($month_post > ""){
+               $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$month_post}-01' AND motddate <= '{$month_post}-31' ORDER BY motddate DESC";
+               $result = db_query_cached($sql,"motd-$month_post");
        }else{
                $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor ORDER BY motddate DESC limit $newcount,".($newcount+$count);
                if ($newcount=0) //cache only the last x items
@@ -97,7 +103,7 @@ if ($op=="") {
        while ($row = db_fetch_assoc($result)){
                $time = strtotime("{$row['d']}-01");
                $m = translate_inline(date("M",$time));
-               rawoutput ("<option value='{$row['d']}'".(httpget("month")==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
+               rawoutput ("<option value='{$row['d']}'".($month_post==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
        }
        rawoutput("</select>".tlbutton_clear());
        $showmore=translate_inline("Show more");

4  Coding Support / Coding Support Desk / Re: How To Reset The Prefs Of ALL Players on: January 13, 2019, 12:30:36 PM
I highly suggest copying your database + testing such things there =) if you don't have a test server.

On another note: Yes, your query looks sound, but you could drop "AND setting", if you want to reset ALL prefs. Else you just reset the setting "blah_blah_blah".
5  Modules, Themes and other customizations for your game / Completed Modules for version 1.x.x / Re: reCAPTCHA anti-spam for petition.php on: December 25, 2018, 12:55:52 PM
Never pass away a captcha (that can also do audio only and more).

here is my implementation, just enter your site key in the settings.
(PHP CURL is needed, though)
6  Game Administration, Installation and Configuration / The Idea Place / Re: Switch Accounts on: August 13, 2018, 02:30:06 PM
If you would do that right, you'd replace the entire login process with that, and attach characters to it. Would solve the multi-char-problem, and other numerous things.
But, you would have the replace the entire login process and so on...
7  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 06, 2018, 01:46:13 PM
You're welcome =)

As said, what must be deleted is in my gdpr mod I added Tongue

It does hook into the creationaddon and create a link there - so you can set up a perma-delete there.

The lotgd delete function (IF you either disable the charrestorer-savefile OR hash/delete the email address+ip+id) will do just fine if somebody wants to be deleted.
As said, it's not necessary to remove any footprint he/she left, just the personal stuff that can be tied to a natural person.
8  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 06, 2018, 11:15:18 AM
CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...
9  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 03, 2018, 01:46:05 PM
Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.

10  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: May 20, 2018, 09:38:25 AM
Well, busy on the last couple of days.

I used the "creationaddon" to show my privacy policy statements, but it has one drawback: it *only* confirms them on creation(hence the name), and it has no way to do so afterwards. I had to expand that function, and also add a date as to when the privacy was accepted.
If somebody needs it, I will attach it.

here is the last version of the gdpr extension (=manages only the data export for the user and the 100% safe deletion and no restoral - if you push the mysql functions in you have to execute after you pushed the data in, but that can be set automatically if you need to).

Due to the fact that it's not install-and-done, but needs mysql adaptions, I apologize.
The mysql stuff has to be done in the db, which is something not being able to easily put into a module (no synctable for functions).

EDIT: Just as a summary, you need(!) a privacy statement accessible like an imprint on any page, it has to declare a lot of things. That's mandatory. Mine: https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf
11  Modules, Themes and other customizations for your game / Completed Modules for version 1.x.x / Re: reCAPTCHA anti-spam for petition.php on: April 03, 2018, 01:35:30 PM
You should really check before you make any statement. Source: https://support.google.com/recaptcha/answer/6175971?hl=en

"ReCAPTCHA works with major screen readers such as ChromeVox, JAWS, NVDA and VoiceOver. ReCAPTCHA will alert screen readers of status changes, such as when the reCAPTCHA verification challenge is complete. The status can also be found by looking for the heading titled recaptcha status in the recaptcha widget section of the page."
12  Modules, Themes and other customizations for your game / Completed Modules for version 1.x.x / Re: reCAPTCHA anti-spam for petition.php on: March 26, 2018, 09:55:10 AM
You can drop most of the code and the library here though... here is a guide (google search for "recaptcha php", 3rd hit.

https://www.kaplankomputing.com/blog/tutorials/recaptcha-php-demo-tutorial/
13  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: March 26, 2018, 09:42:31 AM
The last one Tongue

I'll make hopefully the last stuff on easter.

I updated my lotgd install to 16.04 with php7 + myslq 5.7.
Not a lot of fun though.

I had double-encoded utf8 strings in my db -_- now it's all fixed.
14  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: February 04, 2018, 12:49:01 AM
I think I attached it in this thread "charrestore".
But I fixed minor things, mostly a search bug which did not show any chars saved if you leave the email address.

The very same actually, just minor modifications.

It works on my site well, I already restored a few.
And I like it  better w/o user email - you don't have to dally around "I can't tell you what email that char was made", because you simply don't know anymore Cheesy
15  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: January 28, 2018, 04:57:07 AM
You can try to get the module working Smiley

Mostly try deleting or expiring a char, then it should be in the save directoy on the file system. It should now feature a sha1-hashed email.

If it doesn't generate a character copy, something might be not working.

I've had no time to work on the module - busy at work atm.
Pages: [1] 2 3 ... 15

*
DragonPrime Notices
Play LoGD on Dragonprime

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
114 Guests, 1 User
Daenerys
Home Forums News Downloads Login Register Advanced Search