[SECURITY] Clan System Flaws

Page 1 of 3 123 LastLast
Results 1 to 15 of 37
  1. #1
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Jaú, BrazilLocation
    2,391Posts

    [SECURITY] Clan System Flaws


    RaGEZONE Recommends

    RaGEZONE Recommends

    If you are using this version, or even a derivated version of this clan system files ([Sharing] Working Sandurr's Clan System Version 2.0 - RaGEZONE forums) you should be aware of:

    Every ASP file has SqlInjection vulnerabilities. I could delete members from your clan, delete your clans, databases, insert records, change records, and even change your SQL password. I'm not giving ANY info on HOW to do that.


    How to protect yourself:

    Just edit your scripts and add check for illegal characters in every value received for the QueryString. (usually they are like this: Trim(Request("chname")) )



    Learning purposes:

    The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw.
    Last edited by SheenBR; 05-12-13 at 02:22 AM.


  2. #2
    Professional Aussie SunnyZ is offline
    True MemberRank
    Jul 2006 Join Date
    AustraliaLocation
    615Posts

    Re: [SECURITY] Clan System Flaws

    haha yeah. I used this exploit years ago in ept to create clans.
    The clan master was not working after the change of companies, and continued not to work for a good 1 and a half to 2 years after that.

    I got quite rich in game charging people gold for me to make clans for them XD

    Shhh don't tell anyone...

  3. #3
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Jaú, BrazilLocation
    2,391Posts

    Re: [SECURITY] Clan System Flaws

    haha you smart a**!

    The flaw that enables you to create clans or delete clans are not exactly Sql Injection flaws, in fact, they are coding flaws. Not enough checks to ensure the account is real, etc.

    If I open ClanInsert.aspx, complete all the query strings needed, but with fake info (any fake info) would result in a successfully created clan.

    IMO, I think the scrips need a GOOD rewrite. From scratch. This is a really old flaw, but almost no one knew it =p

  4. #4
    Account Upgraded | Title Enabled! DarkKnightH20 is offline
    Jul 2006 Join Date
    Magic SchoolbusLocation
    1,681Posts

    Re: [SECURITY] Clan System Flaws

    The best form of protection here would be to use stored procedures.

    It's more time consuming to do, but the end result is more secure.

    Though not as secure, you can also remove all non-AlphaNumberic characters. Here's a procedure for doing so:
    Remove all non AlphaNumeric characters from String

    Good luck guys. You'll need it...Bwahahahaha!

  5. #5
    Member Casper112 is offline
    MemberRank
    Aug 2007 Join Date
    The NetherlandsLocation
    99Posts

    Re: [SECURITY] Clan System Flaws

    Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.

  6. #6
    Professional Aussie SunnyZ is offline
    True MemberRank
    Jul 2006 Join Date
    AustraliaLocation
    615Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by Casper112 View Post
    Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.

    ...we are equal opportunity here.
    Either everyone knows, or no one knows.

    He told you the problem and he told you how to fix it.
    That is beyond good enough. It is not his job to pick and choose certain private servers to contact to tell them of this problem before posting it here.

    If you feel your server may be compromised take down these files for emergency maintenance and manually create/edit clans for people who need it until the problem is solved.
    Last edited by SunnyZ; 16-01-13 at 12:42 PM.

  7. #7
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by SheenBR View Post
    The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw. He should know better
    He did! That statement, and my response, have been made before. The usual assumption is that, that being the case, he left it in there so he had a backdoor to attack other servers.

    That's not the correct implication at all. I'm sure I've also seen him say (though it may have been either Quantum or Shagpub, who where also active in that releases development) that that code was worked on by developers, for developers to test and debug. It was not created for pServers to use on a day to day basis.

    In other words, it's pseudo code for you to test the limits within a safe environment and base your own, release version on. It's not meant to be secure, it's meant to be simple enough for everyone to understand, and treat as a basic prototype.
    Quote Originally Posted by SheenBR View Post
    This is a really old flaw, but almost no one knew it =p
    I always thought *everyone* knew it!

    There where several threads on it in the past, I thought there where posts in the release thread and Gregoo had posted an excellent guide, warning everyone about the dangers with details (though, possibly in php?) on how to avoid this exploit.

    I also know that he did some "ethical hacking" to prove to popular, existing servers at the time that they had not patched these flaws, offering to help them.
    Spoiler:
    IDK if he was asking money or not, but the server admins who spoke to me about it where highly offended by his actions, and felt they where being "held to ransom". I would have considered it a warning and an offer of help, but I know where they are coming from.
    I'm very glad this thread is up, and hope that it will stay (where Gregoos did not) because it seems that (contrary to my previous understanding) this is *news* for some people!

    --- EDIT ---
    From memory, the most basic advise (which is about all I understand of server side scripting) was to strip anything which may be interpreted as a string enclosure by SQL, and limit the length of input fields.

    ie. Something like
    Code:
    If Len(userName) > 15 Then userName = Left(userName, 15)
    If InStr(userName, Chr(33)) <> 0 Then userName = Left(userName, InStr(userName, Chr(33)) - 1))
    If InStr(userName, "'") <> 0 Then userName = Left(userName, InStr(userName, "'") - 1))
    This is NOT real code... this is an example of the process you should perform on every variable filled by a user submitted field!
    Making it a subroutine in an script included on every page which does any real processing would be good, but clean up and fix my (off the top of my head) code first please.

    That doesn't remove the exploit, but I believe it pretty much neuters it. Any attempted SQL command of any use should simply crash, and the worst that would do is bring down your IIS / SQL server.

    At least, that's my *basic* understanding.
    Last edited by bobsobol; 17-01-13 at 06:45 PM.

  8. #8
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Jaú, BrazilLocation
    2,391Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by bobsobol View Post
    I always thought *everyone* knew it!


    I thought that anybody knew it because I never saw any threads discussing about it, at least any new ones... I think people forgot about it? never saw it mentioned in any place too, though it should be nice to let everyone know

  9. #9
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    It was. And I've watched threads about it being deleted because those who contributed most have cleared out their posts. (not just Gregoo, and he didn't do it to those posts specifically, that was a more general protest)

    I have no idea why people who report about this point pull the information later. Maybe they get bored of being accused of being haxors who rape and bring down servers.

    For the record, exposing exploits with the intention of helping others prevent attacks is not a malicious act! It's one of charity and community which we should all be practising.

    BTW... that + Rep I just gave Sheen is a big one, because I just hadn't realised this issue had dropped off the radar like that. I recommend everyone else this expo has helped give him one too. Even if it only alerts you to the fact that your security is as week as a used teabag and you have to find the rest out yourself.

    --- EDIT ---
    Oops! When I say "give him one too" I mean a rep +... and a like... you can "give him one" something else if you're female I suppose. He may appreciate that.

  10. #10
    Account Inactive Rovarav is offline
    InactiveRank
    Nov 2010 Join Date
    31Posts

    Re: [SECURITY] Clan System Flaws

    I have protected clan files.
    PM me if you would like more information.

  11. #11
    Professional Aussie SunnyZ is offline
    True MemberRank
    Jul 2006 Join Date
    AustraliaLocation
    615Posts

    Re: [SECURITY] Clan System Flaws

    Or just get the MPT clan files for free here: http://members.iinet.net.au/~samscal...CLAN-FILES.rar

    MPT website here (if it is of any use to anyone): http://members.iinet.net.au/~samscale/MPT/MPT-SITE.rar

  12. #12
    Account Upgraded | Title Enabled! DarkKnightH20 is offline
    Jul 2006 Join Date
    Magic SchoolbusLocation
    1,681Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by Casper112 View Post
    Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.
    It's been known for literally years that these files were subject to SQL injection. This is just the first time it has been addressed in a large way though. Easy fix regardless.

  13. #13
    Registered niik is offline
    MemberRank
    Sep 2010 Join Date
    9Posts

    Re: [SECURITY] Clan System Flaws

    And you never think about to mention my name?
    So selfish. Keep the credits.

  14. #14
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Jaú, BrazilLocation
    2,391Posts

    Re: [SECURITY] Clan System Flaws

    hum... credits for what? You didn't discovered it, it was already there and pointed out by several members in the past. And AFAIK you didn't create the clan script aswell And I am sure you didn't tell me that flaw, since I already knew it for years...

    Just decided to share it with everyone after some troubles with some BR PServers (shame on me.... )


    Turns out that they just edited their posts and removed the information. You would know if you have read bobsobol's post, it is very interesting tho.

    I belive thats the main reason Gregoo had released his clan files - flawless I guess - and then removed them by some unknow reason. (at least for me)

    I hope some older member can enlighten you about this subject. =p
    Last edited by SheenBR; 23-01-13 at 03:11 AM.

  15. #15
    Registered niik is offline
    MemberRank
    Sep 2010 Join Date
    9Posts

    Re: [SECURITY] Clan System Flaws

    And I am sure you didn't tell me that flaw, since I already knew it for years...
    hahahahahahah

    Yeah, ok so.




Page 1 of 3 123 LastLast

Advertisement