DragonPrime - LoGD Resource Community
Welcome Guest
  • Good afternoon, Guest.
    Please log in, or register.
  • July 20, 2019, 04:56:46 PM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: [1]   Go Down
  Print  
Author Topic: WARNING!!!  (Read 7791 times)
0 Members and 1 Guest are viewing this topic.
Talisman
Administrator
Mod God
*****
Offline Offline

Posts: 5484



View Profile WWW
« on: June 26, 2004, 05:12:28 PM »

CHECK MODS BEFORE YOU INSTALL THEM!!!!!!!!!!!

A snippit of code designed to extract the game administrator's password has just been brought to my attention.  I would like to remind everyone who uses mods from ANY source, be it DragonPrime, other mod sites or from their players, to READ THE CODE! 

While I will do my utmost to keep malicious code out of this site, you are your own final failsafe.  Protect yourself.

Any person who uploads malicious/hacking type code to DragonPrime will find themselves instantly banned from DragonPrime.
« Last Edit: April 30, 2007, 06:51:08 PM by Talisman » Logged

Play the latest beta version here on DragonPrime
dvd871
Guest
« Reply #1 on: June 27, 2004, 12:22:37 AM »

Encrypt user passwords:

Code:
*Warning* *Warning* Warning* *Warning* *Warning* Warning*  
-----------------------------------------------------------------
The first thing to note with this mod, AND IT IS VERY,VERY,VERY IMPORTANT!!!! is that existing users passwords will need to be encrypted in order to work.  This is something that should have been included in the original code from the very start :)
-----------------------------------------------------------------
*Warning* Warning* *Warning* *Warning* Warning* *Warning*

Unless someone writes a script to encrypt database passwords automatically, you will need to use a program like phpmyadmin and look up the user password for each user.  Then create a script called convert.php with the following:

<?php
$p1 
"original_user_password";  // insert current user password from phpmyqdmin here
$p2 d5($p1);
echo
"the new user password is:  $p2; // this is the new password to cut and paste into phpmyqdmin
?>


-----------------------------------------------------------------
Changes that need to be made:

In mySQL change the password field in the accounts table from binary(32) to varchar(32).
Easy to do if you use phpmyadmin.


In create.php find:
-----------------------------------------------------------------
if ($_GET['r']>""){
$sql = "SELECT acctid FROM accounts WHERE login='{$_GET['r']}'";
$result = db_query($sql);
$ref = db_fetch_assoc($result);
$referer=$ref['acctid'];
}else{
$referer=0;
}
-----------------------------------------------------------------
After add:
                // secure password mod
                $pass=md5($HTTP_POST_VARS[pass1]);
                //end mod
-----------------------------------------------------------------
find:
$sql = "INSERT INTO accounts
(name,
title,
password,
sex,
login,
laston,
uniqueid,
lastip,
superuser,
gold,
emailaddress,
emailvalidation,
referer
) VALUES (
'$title $shortname',
'$title',
'$HTTP_POST_VARS[pass1]',
'$HTTP_POST_VARS[sex]',
'$shortname',
'".date("Y-m-d H:i:s",strtotime("-1 day"))."',
'$_COOKIE[lgi]',
'".$_SERVER['REMOTE_ADDR']."',
".getsetting("superuser",0).",
".getsetting("newplayerstartgold",50).",
'$_POST[email]',
'$emailverification',
'$referer'
)";
-----------------------------------------------------------------
replace with:
$sql = "INSERT INTO accounts
(name,
title,
password,
sex,
login,
laston,
uniqueid,
lastip,
superuser,
gold,
emailaddress,
emailvalidation,
referer
) VALUES (
'$title $shortname',
'$title',
'$pass',
'$HTTP_POST_VARS[sex]',
'$shortname',
'".date("Y-m-d H:i:s",strtotime("-1 day"))."',
'$_COOKIE[lgi]',
'".$_SERVER['REMOTE_ADDR']."',
".getsetting("superuser",0).",
".getsetting("newplayerstartgold",50).",
'$_POST[email]',
'$emailverification',
'$referer'
)";
-----------------------------------------------------------------
find:
}else{
output("<form action='login.php' method='POST'><input name='name' value=\"$shortname\" type='hidden'><input name='password' value=\"$HTTP_POST_VARS[pass1]\" type='hidden'>
Your account was created, your login name is `^$shortname`0.  `n`n<input type='submit' class='button' value='Click here to log in'></form>`n`n"
.($trash>0?"Characters that have never been logged in to will be deleted after $trash day(s) of no activity.`n":"")
.($new>0?"Characters that have never reached level 2 will be deleted after $new days of no activity.`n":"")
.($old>0?"Characters that have reached level 2 at least once will be deleted after $old days of no activity.":"")
."",true);
-----------------------------------------------------------------
replace with:
}else{
output("<form action='login.php' method='POST'><input name='name' value=\"$shortname\" type='hidden'><input name='password' value=\"$pass\" type='hidden'>
Your account was created, your login name is `^$shortname`0.  `n`n<input type='submit' class='button' value='Click here to log in'></form>`n`n"
.($trash>0?"Characters that have never been logged in to will be deleted after $trash day(s) of no activity.`n":"")
.($new>0?"Characters that have never reached level 2 will be deleted after $new days of no activity.`n":"")
.($old>0?"Characters that have reached level 2 at least once will be deleted after $old days of no activity.":"")
."",true);
-----------------------------------------------------------------
In login.php find:
$sql = "SELECT * FROM accounts WHERE login = '$HTTP_POST_VARS[name]' AND password='$HTTP_POST_VARS[password]' AND locked=0";
-----------------------------------------------------------------
replace with:
$sql = "SELECT * FROM accounts WHERE login = '$HTTP_POST_VARS[name]' AND password='$pass' AND locked=0";
-----------------------------------------------------------------

This will give you passwords that are encrypted with the md5 encryption and stored in your mySQL database.  md5 is a one way encryption scheme.  With these changes when user password data is submitted it is encrypted and compaired to the stored result.  Even if a hacker was to get a list of passwords from your server it would be useless as they would have to know the unencrypted password value in order to use it. Smiley

I don't have time right now to write the script to encrypt the existing user passwords in the mySQL database, but I'm sure someone here can Wink

Peace,
dvd871
« Last Edit: June 27, 2004, 12:32:39 AM by dvd871 » Logged
thegleek
Guest
« Reply #2 on: June 27, 2004, 02:23:33 AM »

CHECK MODS BEFORE YOU INSTALL THEM!!!!!!!!!!!

A snippit of code designed to extract the game administrator's password has just been brought to my attention.  I would like to remind everyone who uses mods from ANY source, be it DragonPrime, other mod sites or from their players, to READ THE CODE!  

While I will do my utmost to keep malicious code out of this site, you are your own final failsafe.  Protect yourself.

Any person who uploads malicious/hacking type code to DragonPrime will find themselves instantly banned from DragonPrime.

um that sux man! wtf?

but it'd be nice to know which mod it was so we can look at which ones we installed and now/may have to remove from our system... k?

« Last Edit: June 27, 2004, 02:24:01 AM by thegleek » Logged
Talisman
Administrator
Mod God
*****
Offline Offline

Posts: 5484



View Profile WWW
« Reply #3 on: June 27, 2004, 02:44:57 AM »

The mod was never posted here, and as far as I know, was only provided to one server.

Logged

Play the latest beta version here on DragonPrime
Kendaer
Guest
« Reply #4 on: June 27, 2004, 11:06:51 AM »

Just a note, if people install the changes mentioned above to encrypt your current passwords, it is POSSIBLE that if you decide to upgrade to 0.9.8 you will not be able to log in.

0.9.8 uses a secure password system and is designed to attempt to upgrade games from previous versions.  We support upgrading from no encryption or single-md5 encryption to the double md5 hashing which is currently in use.

The reason for this is that on browsers which support javascript we do an initial MD5 on the BROWSER side, so the password is never even sent across the net in plain text if we can avoid it. (this prevents admins from just modifying the create/login pages to store off users passwords as we had reports of people doing)  The upgrade scripts on the game will automatically upgrade all of the passwords in the game when they are loaded.

From looking at the code, it seems like this *should* be upgradeable to the current 0.9.8 scheme, but I figured a warning was in order so that if something did break, you all knew why..  please note that if it does break, you will have to contact each player and manually reset their password as they are NOT recoverable once they have been MD5 hashed.
Logged
dvd871
Guest
« Reply #5 on: June 27, 2004, 12:25:07 PM »

That's a good point.  I hadn't considered the upgrading from 0.9.7 to 0.9.8 aspect.

I also should have mentioned that whenever you do any major changes like this, ALWAYS do a mySQL export of all your tables with the data included FIRST!  That way if it all goes bad, you can at least get back to where you started.
Logged
thegleek
Guest
« Reply #6 on: June 27, 2004, 08:57:14 PM »

I also should have mentioned that whenever you do any major changes like this, ALWAYS do a mySQL export of all your tables with the data included FIRST!  That way if it all goes bad, you can at least get back to where you started.

for those who have shell access to their servers running logd (php/mysql), this is how u backup your logd database:

mysqldump -uuser -ppassword dbname > logd-backup.sql

and to restore all that data back into a new db:

mysql -uuser -ppassword -Ddbname < logd-backup.sql

i hope someone finds that useful...
« Last Edit: June 27, 2004, 08:59:15 PM by thegleek » Logged
dark_archon
Guest
« Reply #7 on: August 01, 2004, 12:30:00 AM »

Encrypt user passwords:
This will give you passwords that are encrypted with the md5 encryption and stored in your mySQL database.  md5 is a one way encryption scheme.  With these changes when user password data is submitted it is encrypted and compaired to the stored result.  Even if a hacker was to get a list of passwords from your server it would be useless as they would have to know the unencrypted password value in order to use it. Smiley

I don't have time right now to write the script to encrypt the existing user passwords in the mySQL database, but I'm sure someone here can Wink

Peace,
dvd871

Well... I've tried this but it gives me the "Login Incorrect" error. The encrypted passwords are stored in the db, but now users just can't login...

Edit: One part of the problem solved - They Are able to log in. But... when changing the passwords in prefs.php they still get it in the normal - unencrypted fotm.
« Last Edit: August 01, 2004, 01:31:18 AM by dark_archon » Logged
dvd871
Guest
« Reply #8 on: August 01, 2004, 11:30:13 AM »

Here's the changes that need to be made in prefs.php:

find:
Code:
if (count($_POST)==0){
}else{

After add:
Code:
   $pass1 = md5($_POST[pass1]);
    $pass2 = md5($_POST[pass2]);

Next find:
Code:
$session[user][password]=$_POST[pass1];

Change to:
Code:
$session[user][password]=$pass1;

That should do it for you. Smiley
Logged
Davisionis
Guest
« Reply #9 on: February 23, 2005, 01:31:00 PM »

Just in case no one knows: Wink

the Latest Pre-Release .0.9.8 comes with this feature.  Smiley

I know because I have it, and when I was going to make the necessary changes, I noticed that the passwords were already encrypted;
at least I think so, they looked something along the lines of this:

6c0d8b08423072a4ea381dce 90e57b5c

this is a md5 encrypted pass, isn't it?

stay cool
Davisionis
Logged
Sichae
iMod God
SVN Users
Mod God
*
Offline Offline

Posts: 3458


If ya didn't get it by now... you're hopeless...


View Profile WWW
« Reply #10 on: February 23, 2005, 01:35:13 PM »

Nah, that is a Double MD5 encryption... Tongue

In fact, this has been instated... since about august, when 0.9.8 was released. ^_^
« Last Edit: February 23, 2005, 01:36:15 PM by Sichae » Logged

If you didn't understand anything in the above post, don't try to attempt anything suggested.

Talisman
Administrator
Mod God
*****
Offline Offline

Posts: 5484



View Profile WWW
« Reply #11 on: February 23, 2005, 01:41:13 PM »

This warning only applies to version .97.  Version .98 has incorporated password encryption since before pre-release 1.
Logged

Play the latest beta version here on DragonPrime
Excalibur
Member
Mod God
*****
Offline Offline

Posts: 573


I'm a newbie, plz forgive me!


View Profile WWW
« Reply #12 on: October 23, 2006, 05:39:38 AM »

For what is worth:
it miss a line in login.php to be fully functional.

Find:
Code:
        if(0){
        }else{
Add after:
Code:
            $pass = md5($HTTP_POST_VARS['password']);

Excalibur
Logged

Spock: Random chance seems to have operated in our favor.
McCoy: In plain, non-Vulcan English, we've been lucky.
Spock: I believe I said that, Doctor.
Pages: [1]   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Version 1.1.2 is the current supported version and is available for download.

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
102 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search