[SECURITY] Clan System Flaws

Page 3 of 3 FirstFirst 123
Results 31 to 37 of 37
  1. #31
    Imri Persiado tnrh1 is offline
    True MemberRank
    May 2008 Join Date
    948Posts

    Re: [SECURITY] Clan System Flaws


    RaGEZONE Recommends

    RaGEZONE Recommends

    I won't delete my ragezone account since I havn't done anything bad to a server ever! I even used to pm some admins with suggestions how to improve their servers in order to keep this beautiful community alive so I'm 100% sure that rovarav can't provide any good reason and if he would that would be a lie.

    This community taught me so much and I'm thankful for that and that's why I trying to help to new developers on the forum when I can.
    I won't leave this community ever! =] and if I would I'll probably miss you too bobsbol :)
    Last edited by tnrh1; 08-02-13 at 10:08 PM.

  2. #32
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Ahh! I see now. It's one of those "I'll eat my hat" things. Sorry, I misunderstood.

    No, this is the trouble isn't it. I mean, you already have experience of being the "fall guy", Imri, when another member (present on this thread) was attacked through you.

    This is what I mean about the source of the attack not necessarily being the real culprit. (by which I mean, the one who was knowingly, and probably maliciously going out to do harm)

    I'd advise everyone to avoid such hasty retaliation because, the PT scene in particular, has had waves of this stuff go around to the extent that it comes back to the one who first thought of "revenge". It's just a vicious cycle.

  3. #33
    Programmer gzuz is offline
    True MemberRank
    Aug 2006 Join Date
    430Posts

    Re: [SECURITY] Clan System Flaws

    dim chkchar as char
    for i = 0 to len(charname) - 1
    chkchar = str(i,charname)
    if chkchar > "z" or chkchar > "Z" then
    conn().close
    console.writeline("You have used illegal character)
    i = i + 1
    next i

    EDIT:

    dim chkchar as char
    for i = 0 to len(charname) - 1
    chkchar = str(i,i + 1,charname)
    if chkchar > "z" or chkchar > "Z" then
    conn().close
    console.writeline("You have used illegal character)
    i = i + 1
    next i

    EDIT 2:

    If you were just trying to block the use of * to stop querying which would make more sense then you could simply:

    dim chkchar as char
    dim unauthc as char = "*"
    for i = 0 to len(charname) - 1
    chkchar = str(i,i + 1,charname)
    if chkchar = unauthc then
    conn().close
    console.writeline("You have used illegal character)
    i = i + 1
    next i

  4. #34
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Code:
    dim chkchar as char
    for i = 0 to len(charname) - 1
    chkchar = str(i,i + 1,charname)
    if not ((chkchar => "a" and chkchar <= "z") or (chkchar => "A" and chkchr <= "Z") or (chkchar => "0" and chkchar <= "0"))  then
    conn().close
    console.writeline("You have used illegal character)
    i = i + 1
    next i
    That allows any character in any case or any number, but nothing else. That kind of logic really upset me when applied to character names. No spaces, no hyphens, no underscore, no apostrophe etc. So O'Mally is not a valid character name. :(

  5. #35
    Fuck. SheenBR is offline
    ModeratorRank
    Feb 2008 Join Date
    Ja├║, BrazilLocation
    2,391Posts

    Re: [SECURITY] Clan System Flaws

    if(string[i] == " ' " && badWords.Contains(string[i+1])) bad = true;

    badWords would be anything that could be used after the ' to create an SQL command

    should work

  6. #36
    Programmer gzuz is offline
    True MemberRank
    Aug 2006 Join Date
    430Posts

    Re: [SECURITY] Clan System Flaws

    security > pronunciation of char names im affraid bob. Those characters could simply be removed from allowed char list in game.exe so to create a safer environment. Im obviously not saying that this is the best method, but most likely more secure than what there was previous.

    The alternative is to create an array of dissallowed statements ie.

    dim unauthw(4)
    unauthw(1) = "SELECT *"
    unauthw(2) = "INSERT *"
    unauthw(3) = "DELETE *"

    for i = 0 to 4 - 1 step 1

    if charname.contains(unauthw(i)) then
    conn().close
    console.writeline("Illegal Opperation Detected")
    response.redirect("addphrase.aspx?phrase=charname")
    end if
    next i


    Response.redirect would make use of shared variables moving the value to a form which would submit it to a database somewhere for analysis, which then can be added to the list of disallowed phrases

    EDIT------

    Values of unauthw could be stored in phrases database, this would server to create a dynamic table that would not require the admin update it as any phrases not allowed would simply be added straight into the database. With regards to the loop could apply:
    for i = 0 to rs.recordcount - 1

    such a method would also be great as databases could be shared publicly here for users to protect their servers from injection. Obviously a hacker could analyse the database to find meaning but a user could create a simple form of encryption by creating a unique string before data entry and data extraction in their aspx script.

  7. #37
    Custom title enabled bobsobol is offline
    May 2007 Join Date
    UKLocation
    5,751Posts

    Re: [SECURITY] Clan System Flaws

    Quote Originally Posted by gzuz View Post
    Im obviously not saying that this is the best method, but most likely more secure than what there was previous.
    Escape characters is the "better method". But you need to define all the places you need characters escaped, and all the places you need them plain, then translate between the two.

    So, it should appear plain in game, but be escaped anywhere in the DB / Web. Like in URLs, where " " becomes %20.




Page 3 of 3 FirstFirst 123

Advertisement