Fake Characters

Veranor · May 24, 2003, 02:18:46 PM

Did you realize that there is a bug pertaining to signups, that can result in a fake character that has no race? Since this game is written in php, you can define the variables in the url. Of course that's how this whole game runs, with ?action=something, but there is more. The source code of this game is readliy available, so everyone could find out the variables used in character creation. Now, what's to stop them from stringing the variables along in the url like so:

http://warlords.iboze.com/rwl.php?action=s..._empire=aiwiioa
[EDIT: In the interests of people who may aimlessly click that link and get disabled for mutliple accounts, I've changed the link.]

On clicking that it will make a new character (well not really since I already clicked it), and this character will have no race either. It may not sound that bad at first, but then if you think, how hard would it be to write a script that would just randomize the url and window.open it, over and over again. I'm thinking this is how the 950 fake characters got into Arisen at one point. I don't know if having that many fake characters is a big problem, but I just wanted to bring it to your attention.

To stop it, you could employ some security measure, similar to those you find when signing up at yahoo, or tripod. Then you could release a modified version which people could use in their source, while still keeping yours random.

Anyways, that's all I had to say

Veranor · May 24, 2003, 02:55:05 PM

Though the part that really bugs me is that I can do this on signup but I can't define variables on any other page

Why can you directly go to login, signup, top10. I don't see how in the code...

Also, for anyone who wants to start their own game, do not host your game on the same server as your forums. Use a subdomain or something else. For examble iboze.com/rwl and warlords.iboze

Edit: Acutally you can define them on Login as well

The Beatles · May 24, 2003, 05:07:12 PM

because, if you check warbands.php, on all "action"s other than singup, login, guide, etc., it checks the HTTP_REFERER.

Veranor · May 24, 2003, 05:18:26 PM

Yeah I noticed, there is none provided in this sites source, I was looking at the promisance.php, which does allow access to guide. Though if you go directly to guide on here, it won't allow you to. That's why I was a bit confused.

Edit: But do you have anything to say about anything else?

The Beatles · May 25, 2003, 03:41:23 AM

yeah, the sourcecode they let you download is VERY old.... that's why it wouldn't have it.

Retto · May 25, 2003, 05:14:44 PM

don't know what you're looking at, but the source code we've got up has got it in there. When we put out the next expansion, we will be updating the source code available...

Veranor · May 25, 2003, 05:15:43 PM

Ok sorry I guess the one I had downloaded didn't have it, or I got it from somebody who said they got it here, maybe they didn't send me everything

EDIT: Still why has no one said anything concerning the meat of this post?

Retto · May 25, 2003, 05:25:11 PM

I say this: I've fixed the problem. Thanks for bringing it to my attention.