MCCodes v2.0.4 Released & Security Doc

[Dabomstew]

After a bit of a delay in programming & testing, MCCodes have finally released the v2.0.4 security & bugfix patch for MCCodes v2 users.

Also released is a security document, which allows users to fix the security problems which were fixed in 2.0.4 in their own games if they are heavily modified or not v2.

The changelog is attached to this post. The security advisory is available to ALL paying customers in their customer area, underneath the engine license section.

Please report bugs through our bug tracker, or here if you prefer (though reporting them to our official bug tracker is much better for us)

If you want to just place the 2.0.4 files over your (UNMODIFIED) 2.0.3 ones you can do so and have it function correctly by executing the following SQL queries:



This is highly unrecommended for all but those who are just starting out on their game, since you will lose all your mods.

[Dabomstew]

We feel that we have to inform customers of the two engines which do not yet have a patch of the potential issues in their games. This is mainly why the security advisory was released. v2 users should download the new files and work from there.

The code does address a bit more than the security advisory does, I believe - though it was prepared with the changelog of the patch in mind.

If there are further security issues which neither the patch nor the advisory cover at all, we would very much like to hear them so follow-ups can be made.

EDIT: Also, contacting our entire customer base and waiting for a reply from every single customer would have seriously extended the time taken to release the patch. We therefore felt that this was not a practical option.

EDIT2: We have reconsidered slightly, and moved the security document to only be accessible to paying customers. The changelog is still public.

[H4x0r666]

I've readed the first attachment but after that,
the second attachment failed to open..?

http://www.makewebgames.com/attachme...0&d=1329568659 <-- o.0 ?

hmm

[Dabomstew]

Read above. The security notice has been moved to our customer area. If you have a license, it's just a few clicks away still.

[a_bertrand]

Congratulations for the release! Any security patch is welcome in my opinion

[Mystical]

Probably a stupid question but is ?> not needed at the end of each file? Just asking because almost all of the files are missing it.

[Djkanna]

Probably a stupid question but is ?> not needed at the end of each file? Just asking because almost all of the files are missing it.

No it's not needed, in some cases it's also beneficial to omit the closing tag.

[Danny696]

Ok, Why not just use an external jquery file. Also, is there any check to see if the jQuery has been included, sometimes it may get deleted by accident, updated, down-dated, or a folder structure may cause it not too load?

Also, adding the users pass salt in their users table, doesnt make it as hard to hack. I did research this for my engine, as I did the same as yourself, I found that - of which sounds silly once you know - if they access to the games database, then they have access to the salt, so can just be added to the password when they are trying to convert it back to plain text.

[Neon]

Also, adding the users pass salt in their users table, doesnt make it as hard to hack. I did research this for my engine, as I did the same as yourself, I found that - of which sounds silly once you know - if they access to the games database, then they have access to the salt, so can just be added to the password when they are trying to convert it back to plain text.

Its still a salted hash though. Unless you have a rainbow table of that hash then your outta luck.

[Spudinski]

Its still a salted hash though. Unless you have a rainbow table of that hash then your outta luck.

@Neon
I think you're reading it wrong.
The salt, is stored alongside the password within the same table, within the same database, using the same user for authentication. 0_o,
Basically, once you know what hashing function the script uses(I'll guess md5 or sha1), your in(dictionary attack, basically).

@Danny:
But at that point, your better off just altering the database to suit your form of attack. I'm pretty sure MCCodes runs some database extracted content with PHP, or even if not, you could modify unfiltered database content like mail and inject an XSS worm into an admin's message to gain whatever you need.
The admin should have an HTML5 and Javascript compliant browser, so you could, theoretically, store all the admin's actions within a client-side database and simply use Ajax to send yourself a neat little message. Would take days if not weeks to discover the breach if you don't alter anything in an obvious manner.

But, also theoretically, one could just use MySQL to upload yourself a w4cking-c99 if they run with escalated user privileges. Wouldn't be very smart, but I've seen people owned using this method.

No it's not needed, in some cases it's also beneficial to omit the closing tag.

There's no "benefits" towards omitting the closing tag. It's purely preference.

The <?php & ?> tags(or more formally, escape characters) mean you are either escaping into or out of, PHP... similar to XML syntax.

If you do not plan on producing HTML/output after the PHP syntax, there is no need to escape out of PHP, some developers just think it's cleaner to use closing tags with each script.
On the other hand, C( # / ++ ) developers will omit it(eg. a_bertrand, see his scripts) simply because they're used to not having to escape their code.

PHP is designed this way, since it's original usage is within HTML, text, etc...