DragonPrime - LoGD Resource Community
Welcome Guest
  • Good afternoon, Guest.
    Please log in, or register.
  • November 24, 2017, 12:14:42 PM
Home Forums News Downloads Login Register Advanced Search
* * *
DragonPrime Menu
Login
 
 
Resource Pages
Search

Pages: [1]   Go Down
  Print  
Author Topic: SU_EDIT_CREATURES: A warning  (Read 1911 times)
0 Members and 1 Guest are viewing this topic.
Stephen.Kise
Codemeister
****
Offline Offline

Posts: 377


So meme'd up.


View Profile
« on: April 22, 2016, 05:17:10 PM »

I know that this is an oversight in the current build of Legend of the Green Dragon, which I am sure that has been mentioned before... But as it stands, you (the administrators) should consider the 'Creature Editor' flag as giving full access to your entire server. SU_EDIT_CREATURES is on par with the dangers of SU_RAW_SQL.

The Creature Editor has an AI section. This evaluates PHP code and runs it through whenever the creature is encountered. A simple AI script could give the user full access to the entire server by highlighting the dbconnect.php file, creating a sudo user (if the server is not properly set up), truncating tables, or even deleting all files. So if you are thinking of creating creatures, do them yourself or give access to someone you trust.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5
Aeolus
Mod God
*****
Offline Offline

Posts: 1792


You're welcome.


View Profile WWW
« Reply #1 on: April 22, 2016, 06:34:08 PM »

Perhaps a modification is required in which a new constant (SU_EDIT_CREATURES_AI) is required so that SU_EDIT_CREATURES editors can edit creatures but not display the AI input.

Wouldn't be hard either: 1) create new constant, 2) add constant to SU flags in UE, 3) display AI input only if $session['user']['superuser'] & SU_EDIT_CREATURES_AI is true.
« Last Edit: April 22, 2016, 06:35:56 PM by The Doctor » Logged

Stephen.Kise
Codemeister
****
Offline Offline

Posts: 377


So meme'd up.


View Profile
« Reply #2 on: April 22, 2016, 10:55:45 PM »

Perhaps a modification is required in which a new constant (SU_EDIT_CREATURES_AI) is required so that SU_EDIT_CREATURES editors can edit creatures but not display the AI input.

Wouldn't be hard either: 1) create new constant, 2) add constant to SU flags in UE, 3) display AI input only if $session['user']['superuser'] & SU_EDIT_CREATURES_AI is true.

To simplify things, I was thinking of the SU_MEGA_USER flag or the SU_RAW_SQL. Would be a quick line edit. But it doesn't look like progression will be made.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5
Aeolus
Mod God
*****
Offline Offline

Posts: 1792


You're welcome.


View Profile WWW
« Reply #3 on: April 23, 2016, 12:38:49 AM »

To simplify things, I was thinking of the SU_MEGA_USER flag or the SU_RAW_SQL. Would be a quick line edit. But it doesn't look like progression will be made.

I've added it to the updated core that's linked in my signature.
Logged

Megan|SaraBeth
Mod God
*****
Offline Offline

Posts: 1038



View Profile WWW
« Reply #4 on: October 19, 2016, 06:44:43 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.
Logged

Stephen.Kise
Codemeister
****
Offline Offline

Posts: 377


So meme'd up.


View Profile
« Reply #5 on: October 19, 2016, 08:47:23 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5
Aeolus
Mod God
*****
Offline Offline

Posts: 1792


You're welcome.


View Profile WWW
« Reply #6 on: October 19, 2016, 09:05:52 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.

Would the risk be completely removed just by hiding the textbox? Inspect Element could come into play just as much here as it did with the prefs, as the creatures.php code takes everything posted and adds it straight into the SQL query without checking.
Logged

Stephen.Kise
Codemeister
****
Offline Offline

Posts: 377


So meme'd up.


View Profile
« Reply #7 on: October 19, 2016, 09:10:01 PM »

I never used my AI section when creature making so I went into the editor file and commented out the AI section.

If you mean that you removed the textarea for the AI code, then you definitely removed all chances of someone exploiting this. If you removed what I mentioned when I exploited it on your server, then you may have removed this exploit properly.

Would the risk be completely removed just by hiding the textbox? Inspect Element could come into play just as much here as it did with the prefs, as the creatures.php code takes everything posted and adds it straight into the SQL query without checking.

I thought it would be more obvious that I was being sarcastic. You can just readd the element and post. It is the checks after post that need to be fixed as well.
Logged

Slowly progressing fork with PHP 7 support: https://github.com/stephenKise/Legend-of-the-Green-Dragon
Cheap VPS Hosting (10$ credit!): https://m.do.co/c/acde75b086c5
Megan|SaraBeth
Mod God
*****
Offline Offline

Posts: 1038



View Profile WWW
« Reply #8 on: October 19, 2016, 09:13:42 PM »

I removed what was entered in the AI box and hid the AI box, yea.
Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  


*
DragonPrime Notices
Please take the time to read the FAQ and browse the DragonPedia

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
11 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search