Fake Characters

Started by Veranor, May 24, 2003, 02:18:46 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Veranor

 Did you realize that there is a bug pertaining to signups, that can result in a fake character that has no race? Since this game is written in php, you can define the variables in the url. Of course that's how this whole game runs, with ?action=something, but there is more. The source code of this game is readliy available, so everyone could find out the variables used in character creation. Now, what's to stop them from stringing the variables along in the url like so:

http://warlords.iboze.com/rwl.php?action=s..._empire=aiwiioa
[EDIT: In the interests of people who may aimlessly click that link and get disabled for mutliple accounts, I've changed the link.]

On clicking that it will make a new character (well not really since I already clicked it), and this character will have no race either. It may not sound that bad at first, but then if you think, how hard would it be to write a script that would just randomize the url and window.open it, over and over again. I'm thinking this is how the 950 fake characters got into Arisen at one point. I don't know if having that many fake characters is a big problem, but I just wanted to bring it to your attention.

To stop it, you could employ some security measure, similar to those you find when signing up at yahoo, or tripod. Then you could release a modified version which people could use in their source, while still keeping yours random.


Anyways, that's all I had to say
#127.0.0.1 rovl.org

Veranor

 Though the part that really bugs me is that I can do this on signup but I can't define variables on any other page


Why can you directly go to login, signup, top10. I don't see how in the code...


Also, for anyone who wants to start their own game, do not host your game on the same server as your forums. Use a subdomain or something else. For examble iboze.com/rwl and warlords.iboze

Edit: Acutally you can define them on Login as well
#127.0.0.1 rovl.org

The Beatles

 because, if you check warbands.php, on all "action"s other than singup, login, guide, etc., it checks the HTTP_REFERER.

Veranor

 Yeah I noticed, there is none provided in this sites source, I was looking at the promisance.php, which does allow access to guide. Though if you go directly to guide on here, it won't allow you to. That's why I was a bit confused.

Edit: But do you have anything to say about anything else?
#127.0.0.1 rovl.org

The Beatles

 yeah, the sourcecode they let you download is VERY old.... that's why it wouldn't have it.

Retto

 don't know what you're looking at, but the source code we've got up has got it in there. When we put out the next expansion, we will be updating the source code available...
The 'ittle otter,
Retto

Veranor

 Ok sorry I guess the one I had downloaded didn't have it, or I got it from somebody who said they got it here, maybe they didn't send me everything


EDIT: Still why has no one said anything concerning the meat of this post?
#127.0.0.1 rovl.org

Retto

 I say this: I've fixed the problem. Thanks for bringing it to my attention.
The 'ittle otter,
Retto