Re: [Release] Pokemon-Area based browser game
Re: [Release] Pokemon-Area based browser game
there are more than 130 vulnerabilities in the source i fixed 10 but still its damn hard to find and fix them
most of them are in Register , activate , index
in admin_edit
and admin folder
and in crons
better to shift to a CMS
i am giving out many bug fixes for others
PM me For them
Like Money Glitch etc
Re: [Release] Pokemon-Area based browser game
Quote:
Originally Posted by
Raftaar
there are more than 130 vulnerabilities in the source i fixed 10 but still its damn hard to find and fix them
most of them are in Register , activate , index
in admin_edit
and admin folder
and in crons
better to shift to a CMS
i am giving out many bug fixes for others
PM me For them
Like Money Glitch etc
This is not an SQL exploit.
And I'm converting it to PDO so SQL exploits are nearly impossible.
Re: [Release] Pokemon-Area based browser game
Quote:
Originally Posted by
tdid
This is not an SQL exploit.
And I'm converting it to PDO so SQL exploits are nearly impossible.
Ok thanx But still i was .... if u know what i mean
Re: [Release] Pokemon-Area based browser game
Remove forums guys it has got 1 sql exploit and Xss Exploit
Even clans
Index php has not prevention against CSRF
i found total 77 Vulnerabilities in my RPG
In normal source code there are 130
felixcruzer your clans got Bugs we can directly hack (access the Mysql Database with it)
felixcruzer your clans got Bugs we can directly hack (access the Mysql Database with it)
the tests i performed on my site
and the results
| Security Tests Performed |
|---|
| Type |
Tests |
Failed |
Passed |
|---|
| Infrastructure Tests |
25 |
7 |
18 |
| Blind SQL Injection |
406 |
1 |
405 |
| SQL Injection |
493 |
1 |
492 |
| Cross Site Scripting |
841 |
10 |
831 |
| Source Disclosure |
493 |
3 |
490 |
| PHP Code Injection |
232 |
0 |
232 |
| Windows Command Execution |
348 |
0 |
348 |
| UNIX Command Execution |
377 |
0 |
377 |
| UNIX File Disclosure |
232 |
0 |
232 |
| Windows File Disclosure |
783 |
0 |
783 |
| Directory Disclosure |
493 |
0 |
493 |
| Remote File Inclusion |
29 |
0 |
29 |
| HTTP Header Injection |
261 |
0 |
261 |
THe site is full of CSRF
Most of them are in Register
For example url
Url/?page=../../../../%00.txt [voornaam= name&achternaam=name &land=Canada &day=0 &month=0 &year=0 &inlognaam=name &wachtwoord=name &wachtwoord_nogmaals=name &email=name &character=Red &wereld=Kanto &referer=name ®istreer=Create!]
Source Disclosure
URL: /?page=clan-profile&clan=
Affected Parameter: page
Vector Used: ../../../..THIS%00.txt
Pattern found: </b> on line <b>\d+</b><br />
Complete Attack: /?page=../../../../%00.txt&clan=
|
| Recommended Solution: |
* SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '
* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.
* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.
* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords
* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages. |
| Impact: |
| Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc). |
you can protect the forms from csrf attacks by this ( my method)
<?phpif($_SERVER['REQUEST_METHOD'] == 'POST'){ //Here we parse the form if(!isset($_SESSION['csrf']) || $_SESSION['csrf'] !== $_POST['csrf']) throw new RuntimeException('CSRF attack'); //Do the rest of the processing here} //Generate a key, print a form:$key = sha1(microtime());$_SESSION['csrf'] = $key;?> <form action="this.php" method="post"><input type="hidden" name="csrf" value="<?php echo $key; ?>" /><!-- Some other form fields you want here, and of course a submit button --></form>
Re: [Release] Pokemon-Area based browser game
Just use flash sessions with csrf.
Re: [Release] Pokemon-Area based browser game
Re: [Release] Pokemon-Area based browser game
Thats why I got rid of MySQL and converted it to PDO so no more SQL Injections. Using template system so no more RFI injections.
Re: [Release] Pokemon-Area based browser game
And thats why a Framework provides more security instead of raw php (if your newbie ofc)
Re: [Release] Pokemon-Area based browser game
i am not newbie but i am planning to buy security
Re: [Release] Pokemon-Area based browser game
Just re-do all stuff using prepared statements are your fine.
Re: [Release] Pokemon-Area based browser game
You dont need to buy security. Just find holes and fix them.
Re: [Release] Pokemon-Area based browser game
If someone wants to help with my game or has updates - i found a great map movement system with nodejs - it has already a little battle system in it and a chat system.
The Map Movement part looks great - it's fullscreen only the sprite animation isn't finish.
Can someone make a recode or share fixes or updates with us? pokemon-area script is maybe the best script here - it has all to make a pokemon mmo it's just not perfect like all the other scripts here..but it has pvp and trade!:)
I can't really code - i learn it by school in 2 weeks..thats the reason why i need help.
Regards
Edit: Screen of Map Movement
Re: [Release] Pokemon-Area based browser game
Hello, that error: about timezone on top of site.
How to fix?
PLZZZZZZ
Re: [Release] Pokemon-Area based browser game
Quote:
Originally Posted by
Arthur Cardoso
Hello, that error: about timezone on top of site.
How to fix?
PLZZZZZZ
Maybe show a screen shot of the error as I cant recall any error about the timezone...
Cheers!
