there are more than 130 vulnerabilities in the source i fixed 10 but still its damn hard to find and fix them
most of them are in Register , activate , index
in admin_edit
and admin folder
and in crons
better to shift to a CMS
i am giving out many bug fixes for others
PM me For them
Like Money Glitch etc
This is not an SQL exploit.Originally Posted by Raftaar
And I'm converting it to PDO so SQL exploits are nearly impossible.
Ok thanx But still i was .... if u know what i mean
Remove forums guys it has got 1 sql exploit and Xss Exploit
Even clans
Index php has not prevention against CSRF
i found total 77 Vulnerabilities in my RPG
In normal source code there are 130
felixcruzer your clans got Bugs we can directly hack (access the Mysql Database with it)
felixcruzer your clans got Bugs we can directly hack (access the Mysql Database with it)
the tests i performed on my site
and the results
Security Tests Performed Type Tests Failed Passed Infrastructure Tests 25 7 18 Blind SQL Injection 406 1 405 SQL Injection 493 1 492 Cross Site Scripting 841 10 831 Source Disclosure 493 3 490 PHP Code Injection 232 0 232 Windows Command Execution 348 0 348 UNIX Command Execution 377 0 377 UNIX File Disclosure 232 0 232 Windows File Disclosure 783 0 783 Directory Disclosure 493 0 493 Remote File Inclusion 29 0 29 HTTP Header Injection 261 0 261
THe site is full of CSRF
Most of them are in Register
For example url
Url/?page=../../../../%00.txt [voornaam= name&achternaam=name &land=Canada &day=0 &month=0 &year=0 &inlognaam=name &wachtwoord=name &wachtwoord_nogmaals=name &email=name &character=Red &wereld=Kanto &referer=name ®istreer=Create!]
Source Disclosure
URL: /?page=clan-profile&clan=
Affected Parameter: page
Vector Used: ../../../..THIS%00.txt
Pattern found: </b> on line <b>\d+</b><br />
Complete Attack: /?page=../../../../%00.txt&clan=Recommended Solution: * SQL Injection:
Use stored procedures to prevent attackers from altering the queries, and filter user input to discard invalid characters such as '
* Cross Site Scripting:
Filter user input to discard characters such as < and >. Make sure your server does not display error messages that contain input received from the user.
* Source Disclosure:
Make sure all debugging information is turned off from production servers. Scripts should be configured to be executables only, with no ability for a user to view them.
* Non-SSL login:
All login pages should be SSL protected (e.g. have an https:// link). When using non-SSL protected pages eavesdroppers might be able to capture usernames and passwords
* Sensitive information sent over non-encrypted page:
Make sure all sensitive information is sent over SSL-protected pages.Impact: Attackers can take control over your database, and in some cases over the operating system (using master..xp_cmdshell, CREATE LIBRARY, etc).
you can protect the forms from csrf attacks by this ( my method)
<?phpif($_SERVER['REQUEST_METHOD'] == 'POST'){ //Here we parse the form if(!isset($_SESSION['csrf']) || $_SESSION['csrf'] !== $_POST['csrf']) throw new RuntimeException('CSRF attack'); //Do the rest of the processing here} //Generate a key, print a form:$key = sha1(microtime());$_SESSION['csrf'] = $key;?> <form action="this.php" method="post"><input type="hidden" name="csrf" value="<?php echo $key; ?>" /><!-- Some other form fields you want here, and of course a submit button --></form>
Just use flash sessions with csrf.
flash sessions ?
Thats why I got rid of MySQL and converted it to PDO so no more SQL Injections. Using template system so no more RFI injections.
And thats why a Framework provides more security instead of raw php (if your newbie ofc)
i am not newbie but i am planning to buy security
Just re-do all stuff using prepared statements are your fine.
You dont need to buy security. Just find holes and fix them.
If someone wants to help with my game or has updates - i found a great map movement system with nodejs - it has already a little battle system in it and a chat system.
The Map Movement part looks great - it's fullscreen only the sprite animation isn't finish.
Can someone make a recode or share fixes or updates with us? pokemon-area script is maybe the best script here - it has all to make a pokemon mmo it's just not perfect like all the other scripts here..but it has pvp and trade!:)
I can't really code - i learn it by school in 2 weeks..thats the reason why i need help.
Regards
Edit: Screen of Map Movement
Spoiler:
Last edited by felixcruzer; 01-09-13 at 12:09 PM.
Hello, that error: about timezone on top of site.
How to fix?
PLZZZZZZ
Maybe show a screen shot of the error as I cant recall any error about the timezone...
Cheers!
