DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • December 15, 2018, 09:59:00 AM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: [1]   Go Down
  Print  
Author Topic: SU_EDIT_CREATURES: A warning  (Read 3077 times)
0 Members and 1 Guest are viewing this topic.
Sunday
Codemeister
****
Offline Offline

Posts: 400


So meme'd up.


View Profile
« on: April 22, 2016, 05:17:10 PM »

I know that this is an oversight in the current build of Legend of the Green Dragon, which I am sure that has been mentioned before... But as it stands, you (the administrators) should consider the 'Creature Editor' flag as giving full access to your entire server. SU_EDIT_CREATURES is on par with the dangers of SU_RAW_SQL.

The Creature Editor has an AI section. This evaluates PHP code and runs it through whenever the creature is encountered. A simple AI script could give the user full access to the entire server by highlighting the dbconnect.php file, creating a sudo user (if the server is not properly set up), truncating tables, or even deleting all files. So if you are thinking of creating creatures, do them yourself or give access to someone you trust.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1912


You're welcome.


View Profile WWW
« Reply #1 on: April 22, 2016, 06:34:08 PM »

Perhaps a modification is required in which a new constant (SU_EDIT_CREATURES_AI) is required so that SU_EDIT_CREATURES editors can edit creatures but not display the AI input.

Wouldn't be hard either: 1) create new constant, 2) add constant to SU flags in UE, 3) display AI input only if $session['user']['superuser'] & SU_EDIT_CREATURES_AI is true.
« Last Edit: April 22, 2016, 06:35:56 PM by The Doctor » Logged

Sunday
Codemeister
****
Offline Offline

Posts: 400


So meme'd up.


View Profile
« Reply #2 on: April 22, 2016, 10:55:45 PM »

Perhaps a modification is required in which a new constant (SU_EDIT_CREATURES_AI) is required so that SU_EDIT_CREATURES editors can edit creatures but not display the AI input.

Wouldn't be hard either: 1) create new constant, 2) add constant to SU flags in UE, 3) display AI input only if $session['user']['superuser'] & SU_EDIT_CREATURES_AI is true.

To simplify things, I was thinking of the SU_MEGA_USER flag or the SU_RAW_SQL. Would be a quick line edit. But it doesn't look like progression will be made.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1912


You're welcome.


View Profile WWW
« Reply #3 on: April 23, 2016, 12:38:49 AM »

To simplify things, I was thinking of the SU_MEGA_USER flag or the SU_RAW_SQL. Would be a quick line edit. But it doesn't look like progression will be made.

I've added it to the updated core that's linked in my signature.
Logged

Megan|SaraBeth
Mod God
*****
Offline Offline

Posts: 1065



View Profile WWW
« Reply #4 on: October 19, 2016, 06:44:43 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.
Logged

Sunday
Codemeister
****
Offline Offline

Posts: 400


So meme'd up.


View Profile
« Reply #5 on: October 19, 2016, 08:47:23 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Aeolus
Mod God
*****
Offline Offline

Posts: 1912


You're welcome.


View Profile WWW
« Reply #6 on: October 19, 2016, 09:05:52 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.

Would the risk be completely removed just by hiding the textbox? Inspect Element could come into play just as much here as it did with the prefs, as the creatures.php code takes everything posted and adds it straight into the SQL query without checking.
Logged

Sunday
Codemeister
****
Offline Offline

Posts: 400


So meme'd up.


View Profile
« Reply #7 on: October 19, 2016, 09:10:01 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.

Would the risk be completely removed just by hiding the textbox? Inspect Element could come into play just as much here as it did with the prefs, as the creatures.php code takes everything posted and adds it straight into the SQL query without checking.

I thought it would be more obvious that I was being sarcastic. You can just readd the element and post. It is the checks after post that need to be fixed as well.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5

A new server in the making...
Megan|SaraBeth
Mod God
*****
Offline Offline

Posts: 1065



View Profile WWW
« Reply #8 on: October 19, 2016, 09:13:42 PM »

I removed what was entered in the AI box and hid the AI box, yea.
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Welcome to DragonPrime - The LoGD Resource Community!

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
93 Guests, 1 User
Talisman
Home Forums News Downloads Login Register Advanced Search