Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 2.x > vBulletin 2.x Full Releases

Closed Thread
 
Thread Tools
vB Tetris v2.5 | Leaderboard, Comments and High Score System v2.5 :) Details »»
vB Tetris v2.5 | Leaderboard, Comments and High Score System v2.5 :)
Version: 1.00, by John John is offline
Developer Last Online: Nov 2023 Show Printable Version Email this Page

Version: 2.2.x Rating:
Released: 08-13-2002 Last Update: Never Installs: 93
 
No support by the author.

hack removed, someone please delete this thread.

Apparently the 6 days solid I spend supporting this wasn't good enough (not to mention the 65 page total).

Thanks

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #332  
Old 08-16-2002, 03:07 PM
NexDog's Avatar
NexDog NexDog is offline
 
Join Date: Mar 2002
Location: Lost in the Nexus
Posts: 388
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

He posted a new file in the post just before yours. :rollseyes:
  #333  
Old 08-16-2002, 03:07 PM
John's Avatar
John John is offline
 
Join Date: Mar 2002
Location: Norwich, UK
Posts: 1,543
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Basically, in older versions of tetris.php people could add a "get" string in the header of the page.

i.e. tetris.php?action=reg&points=10000000&userid=1

In the new file, a piece of code refuses to accept any point values in the header.
  #334  
Old 08-16-2002, 03:08 PM
John's Avatar
John John is offline
 
Join Date: Mar 2002
Location: Norwich, UK
Posts: 1,543
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally posted by NexDog
He posted a new file in the post just before yours. :rollseyes:
And the zip has also been updated - did any get the update email? The hack updater is playing up...
  #335  
Old 08-16-2002, 03:11 PM
Stuwee Stuwee is offline
 
Join Date: Aug 2002
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.

First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:

Code:
<form name="tetrischeat" method="post" action="http://yoursite/tetris.php?action=reg">
  enter your score! 
  <input type="text" name="punteggio"><br>
  and your userid (get from bbuserid field in cookie)<input type="text" name="userid"><br>
  <input type="submit" value="What's tetris again?">
</form>
It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.

Secondly, the comment system here is very open to abuse. For example, as your comment, try:

Code:
<script>alert("i rock j00!")</script>
And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.

Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.
  #336  
Old 08-16-2002, 03:15 PM
John's Avatar
John John is offline
 
Join Date: Mar 2002
Location: Norwich, UK
Posts: 1,543
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally posted by Stuwee
Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.

First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:

Code:
<form name="tetrischeat" method="post" action="http://yoursite/tetris.php?action=reg">
  enter your score! 
  <input type="text" name="punteggio"><br>
  and your userid (get from bbuserid field in cookie)<input type="text" name="userid"><br>
  <input type="submit" value="What's tetris again?">
</form>
It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.

Secondly, the comment system here is very open to abuse. For example, as your comment, try:

Code:
<script>alert("i rock j00!")</script>
And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.

Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.
I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).

If you could update the existing tetris.php and email it to me, we'd all be grateful.
  #337  
Old 08-16-2002, 03:35 PM
Stuwee Stuwee is offline
 
Join Date: Aug 2002
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally posted by john.eovie


I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).

If you could update the existing tetris.php and email it to me, we'd all be grateful.
Actually, it's possible to do it without knowing the userid (by setting s=something in the querystring). I don't have time to fix it tonight, but I'll see what I can do for you tomorrow... in the mean time, I updated my little example so it doesn't need the userid.
  #338  
Old 08-16-2002, 03:37 PM
John's Avatar
John John is offline
 
Join Date: Mar 2002
Location: Norwich, UK
Posts: 1,543
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Tried it with sessions - sometimes, for some unknown reason the user doesn't have a sessionhash. Meaning they can't get to it at all... :s
  #339  
Old 08-16-2002, 03:40 PM
Stuwee Stuwee is offline
 
Join Date: Aug 2002
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally posted by john.eovie
Tried it with sessions - sometimes, for some unknown reason the user doesn't have a sessionhash. Meaning they can't get to it at all... :s
Yeah, sometimes the session hash isn't present in the querystring, sometimes it is (never bothered to find out exactly why)... but that doesn't solve our problem anyway... I'll hopefully get back to you tomorrow with an updated version of the script.
  #340  
Old 08-16-2002, 03:52 PM
Lesane's Avatar
Lesane Lesane is offline
 
Join Date: Oct 2001
Location: The Netherlands
Posts: 1,149
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

You could use sessions for that.

When they are going to the play action (tetris?action=play) then you can set a session name for example:

PHP Code:
session_start();
session_register("test"); 
Then by the code of reg (tetris?action=reg) you can check if the user has a session named test by the following code:

PHP Code:
if (session_is_registered("test")) {
echo 
"User has a session named test so he came from the play action";
} else {
echo 
"ooops, cheatterr";

  #341  
Old 08-16-2002, 04:09 PM
Stuwee Stuwee is offline
 
Join Date: Aug 2002
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally posted by Lesane
You could use sessions for that.

When they are going to the play action (tetris?action=play) then you can set a session name for example:

PHP Code:
session_start();
session_register("test"); 
Then by the code of reg (tetris?action=reg) you can check if the user has a session named test by the following code:

PHP Code:
if (session_is_registered("test")) {
echo 
"User has a session named test so he came from the play action";
} else {
echo 
"ooops, cheatterr";

Quite right, but as far as I can see, the cheat0r could just start a game, and then while it's playing, submit the form. The session still exists, but it wasn't submitted by the script... the leaderboard would be none the wiser. $_SERVER["HTTP_REFERRER"] could always be checked to see if the user is indeed coming from the playfield, but there's no reason that can't be poisoned either....
Closed Thread

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:08 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02797 seconds
  • Memory Usage 2,316KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (4)bbcode_code
  • (4)bbcode_php
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (3)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete