Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[SECURITY] Clan System Flaws

Moderator
Staff member
Moderator
Joined
Feb 22, 2008
Messages
2,404
Reaction score
723
If you are using this version, or even a derivated version of this clan system files ([Sharing] Working Sandurr's Clan System Version 2.0 - RaGEZONE forums) you should be aware of:

Every ASP file has SqlInjection vulnerabilities. I could delete members from your clan, delete your clans, databases, insert records, change records, and even change your SQL password. I'm not giving ANY info on HOW to do that.


How to protect yourself:

Just edit your scripts and add check for illegal characters in every value received for the QueryString. (usually they are like this: Trim(Request("chname")) )



Learning purposes:

The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw.
 
Last edited:
Moderator
Staff member
Moderator
Joined
Feb 22, 2008
Messages
2,404
Reaction score
723
haha you smart a**!

The flaw that enables you to create clans or delete clans are not exactly Sql Injection flaws, in fact, they are coding flaws. Not enough checks to ensure the account is real, etc.

If I open ClanInsert.aspx, complete all the query strings needed, but with fake info (any fake info) would result in a successfully created clan. :p:

IMO, I think the scrips need a GOOD rewrite. From scratch. This is a really old flaw, but almost no one knew it =p
 
Custom Title Activated
Member
Joined
Jul 21, 2006
Messages
1,638
Reaction score
341
The best form of protection here would be to use stored procedures.

It's more time consuming to do, but the end result is more secure.

Though not as secure, you can also remove all non-AlphaNumberic characters. Here's a procedure for doing so:


Good luck guys. You'll need it...Bwahahahaha!
 
Initiate Mage
Joined
Aug 23, 2007
Messages
99
Reaction score
8
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.
 
Joined
Jul 24, 2006
Messages
881
Reaction score
578
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.


...we are equal opportunity here.
Either everyone knows, or no one knows.

He told you the problem and he told you how to fix it.
That is beyond good enough. It is not his job to pick and choose certain private servers to contact to tell them of this problem before posting it here.

If you feel your server may be compromised take down these files for emergency maintenance and manually create/edit clans for people who need it until the problem is solved.
 
Last edited:
Custom Title Activated
Member
Joined
May 26, 2007
Messages
5,545
Reaction score
1,314
The flaw is in the way the query string is created. By concatenating directly the user input in the query string, as sandurr did (QUERY = "SELECT * FROM UL WHERE ChName = '" & chname & "'"), creates a HUGE security flaw. He should know better :p:
He did! That statement, and my response, have been made before. The usual assumption is that, that being the case, he left it in there so he had a backdoor to attack other servers.

That's not the correct implication at all. I'm sure I've also seen him say (though it may have been either Quantum or Shagpub, who where also active in that releases development) that that code was worked on by developers, for developers to test and debug. It was not created for pServers to use on a day to day basis.

In other words, it's pseudo code for you to test the limits within a safe environment and base your own, release version on. It's not meant to be secure, it's meant to be simple enough for everyone to understand, and treat as a basic prototype.
This is a really old flaw, but almost no one knew it =p
I always thought *everyone* knew it!

There where several threads on it in the past, I thought there where posts in the release thread and Gregoo had posted an excellent guide, warning everyone about the dangers with details (though, possibly in php?) on how to avoid this exploit.

I also know that he did some "ethical hacking" to prove to popular, existing servers at the time that they had not patched these flaws, offering to help them.
IDK if he was asking money or not, but the server admins who spoke to me about it where highly offended by his actions, and felt they where being "held to ransom". I would have considered it a warning and an offer of help, but I know where they are coming from.
I'm very glad this thread is up, and hope that it will stay (where Gregoos did not) because it seems that (contrary to my previous understanding) this is *news* for some people! :scared:

--- EDIT ---
From memory, the most basic advise (which is about all I understand of server side scripting) was to strip anything which may be interpreted as a string enclosure by SQL, and limit the length of input fields.

ie. Something like
Code:
If Len(userName) > 15 Then userName = Left(userName, 15)
If InStr(userName, Chr(33)) <> 0 Then userName = Left(userName, InStr(userName, Chr(33)) - 1))
If InStr(userName, "'") <> 0 Then userName = Left(userName, InStr(userName, "'") - 1))
[highlight]This is NOT real code... this is an example of the process you should perform on every variable filled by a user submitted field![/highlight]
Making it a subroutine in an script included on every page which does any real processing would be good, but clean up and fix my (off the top of my head) code first please. :wink:

That doesn't remove the exploit, but I believe it pretty much neuters it. Any attempted SQL command of any use should simply crash, and the worst that would do is bring down your IIS / SQL server.

At least, that's my *basic* understanding.
 
Last edited:
Custom Title Activated
Member
Joined
May 26, 2007
Messages
5,545
Reaction score
1,314
It was. And I've watched threads about it being deleted because those who contributed most have cleared out their posts. (not just Gregoo, and he didn't do it to those posts specifically, that was a more general protest)

I have no idea why people who report about this point pull the information later. Maybe they get bored of being accused of being haxors who rape and bring down servers.

For the record, exposing exploits with the intention of helping others prevent attacks is not a malicious act! It's one of charity and community which we should all be practising. :eek:tt1:

BTW... that + Rep I just gave Sheen is a big one, because I just hadn't realised this issue had dropped off the radar like that. I recommend everyone else this expo has helped give him one too. Even if it only alerts you to the fact that your security is as week as a used teabag and you have to find the rest out yourself. :wink:

--- EDIT ---
Oops! When I say "give him one too" I mean a rep +... and a like... you can "give him one" something else if you're female I suppose. He may appreciate that. :lol:
 
Initiate Mage
Joined
Nov 14, 2010
Messages
31
Reaction score
13
I have protected clan files.
PM me if you would like more information.
 
Custom Title Activated
Member
Joined
Jul 21, 2006
Messages
1,638
Reaction score
341
Thanks for the information. To bad you made this public before contacting some servers to prevent further issues.
It's been known for literally years that these files were subject to SQL injection. This is just the first time it has been addressed in a large way though. Easy fix regardless.
 
Moderator
Staff member
Moderator
Joined
Feb 22, 2008
Messages
2,404
Reaction score
723
hum... credits for what? You didn't discovered it, it was already there and pointed out by several members in the past. :wink: And AFAIK you didn't create the clan script aswell :p: And I am sure you didn't tell me that flaw, since I already knew it for years... :/:

Just decided to share it with everyone after some troubles with some BR PServers :eek:tt1: (shame on me.... :lol:)


Turns out that they just edited their posts and removed the information. You would know if you have read bobsobol's post, it is very interesting tho.

I belive thats the main reason Gregoo had released his clan files - flawless I guess - and then removed them by some unknow reason. (at least for me)

I hope some older member can enlighten you about this subject. =p
 
Last edited:
Custom Title Activated
Member
Joined
May 26, 2007
Messages
5,545
Reaction score
1,314
I would be surprised if the popularity of SQL inject insecure Clan / SoD sites in PT pServers wasn't a primary inspiration for Gregoo developing his site, but since it was never finished, we'll never know how "flawless" it would have been.
 
Imri Persiado
Joined
May 17, 2008
Messages
941
Reaction score
26
ahhh that's why my sql db's were deleted once a week :grr:
I don't code ASP so I trusted the developer of those scripts and I guess it was a very bad choice lol.
 
Custom Title Activated
Member
Joined
May 26, 2007
Messages
5,545
Reaction score
1,314
And don't assume that, just because they fscked up the security, that was done with malicious intent. Remember that most of us create and share these things for free, in our spare time.

There is a limit to the "quality control" with such an arrangement. ;)
 
Initiate Mage
Joined
Nov 14, 2010
Messages
31
Reaction score
13
tnrh1 aka imri,

i deleted your databases. you let your SQL be open for remote connections and i knew your ip,id and pw so i could
connect and delete them freely.

i am no longer in the pt community so i dont mind letting you know that. i did that for good reasons.
 
Back
Top