Updating Dragon Knight Engine

Place for questions and answers for all newcomers and new coders. This is a free for all forum, no question is too stupid and to noob.

Re: Updating Dragon Knight Engine

Postby Kesstryl » Sat Jul 01, 2017 11:33 am

I updated the original post, and I now have a copy on my dropbox for you guys to download and poke at. Let me know if you find additional errors.
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby Kesstryl » Sun Jul 02, 2017 12:01 pm

Ok, there are a couple things still bothering me with the security of the engine so I'm making a few more changes. I'll let you know when those updates are done. Basically I hate the way the cookies used the username, and I got rid of that. I also added a random hash in the database which is generated every time the user logs in, and matches that to the cookie. To me this is more secure than what was originally there. I'll probably tweak more with security as other things are bothering me as well, and the changes I put in were just basic and poor blankets (which are better than nothing, and there were places where there was no sanitizing of input at all).
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby hallsofvallhalla » Mon Jul 03, 2017 10:25 am

Thanks for the update. Congrats on getting thus far.
User avatar
hallsofvallhalla
Site Admin
 
Posts: 11599
Images: 13
Joined: Wed Apr 22, 2009 6:29 pm
Location: mobile, al
Has thanked: 11 times
Been thanked: 127 times
Blog: View Blog (3)

Re: Updating Dragon Knight Engine

Postby Kesstryl » Sun Jul 09, 2017 12:25 pm

I fixed a few other security problems, and here is what I have done so far with all my changes (copied and pasted from the changelog):

Dragon Knight 1.1.12 (06.29.2017) by Kesstryl
All changes to vanilla code were done to increase security and make code php5 compatible.
Security changes are only bare minimum, add your own to increase security, or use at your own risk.
php5 code upgrades
- changed database type from MyIsam to InnoDB in install.php
- Changed mysql to mysqli for all database commands throughout code.
- defined variables wherever they were undefined.
- added a hidden field in registration to prevent spam registration.
Security changes
- changed cookies to use a hash code which is changed at every login.
_ set cookies to http only.
- added htaccess files in all folders to prevent directory snooping.
- added a function to check for host url to protect against csfr wherever POST and GET are used.
- changed admin.php to go back to the index page if unauthorized to use the admin panel.
- changed hash algorithm for passwords from md5 to sha256.
- added a salt to passwords.
- added a string sanitize function and implemented it wherever there is POST data.
- added an array sanitize function and implemented it where POST data is extracted in admin.php
- EXTR_SKIP has been added to the extract global in admin.php as an extra security measure.
- libxml_disable_entity_loader set to true in the xml variable to prevent xml entity expansion attacks.

I'll probably tweak a few other things, and especially if you guys find some glaring error or security hole. Everything appears to be working on my localhost. The email verification has not been tested as my localhost isn't configured to send out emails, so I'll test that when I upload it to a webhost unless someone else wants to test it. My dropbox has the most current file.
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby Kesstryl » Tue Jul 11, 2017 12:37 pm

Ok I ran into a bug which doesn't show up if you officially log in from the log in page. If you don't log out, and the cookie is stored in your browser, you can go to the game and be logged in from the cookies. However, it causes the http server referer to not be set, and I got the die error message. So in order to access the game, I had to add an if(isset to my http referer check. I'm in the game just fine now through the cookies, except for the errors stating "notice: Undefined index: HTTP_REFERER". I'm assuming going directly into the game via cookies and bypassing log in is causing the error because once I do something in the game, it goes away. I need to figure out a way to get rid of the error though when someone first goes to the page without needing to log in.

This is my function to check for the referer check which works fine everywhere else

Code: Select all
function protectcsfr() {
   include('config.php');
      extract($dbsettings, EXTR_SKIP);
      $safe = $safeserver;
      $host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
      if ($safe != $host && isset($_SERVER['HTTP_REFERER'])) die("invalid url");
}


I call the function on each page including the index, and that works fine too if you log in from the log in page. Everything works except going to the site without logging out. it's only that first page you come back to where the referer isn't set, once you do something in game like explore, it goes away and the referer is set.

I could use the @ on the referer part to get rid of the error, but I'm concerned that this is a security risk.
Last edited by Kesstryl on Tue Jul 11, 2017 12:51 pm, edited 1 time in total.
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby hallsofvallhalla » Tue Jul 11, 2017 12:44 pm

Can you set it to blank or a default if it is not found? The HTTP referer
User avatar
hallsofvallhalla
Site Admin
 
Posts: 11599
Images: 13
Joined: Wed Apr 22, 2009 6:29 pm
Location: mobile, al
Has thanked: 11 times
Been thanked: 127 times
Blog: View Blog (3)

Re: Updating Dragon Knight Engine

Postby Kesstryl » Tue Jul 11, 2017 12:54 pm

there is no referer if I echo it when you first go to the page with echo $_SERVER['HTTP_REFERER'];, so it's definitely not set unless I do something, then it will show up in the echo.

I could force a login if it's not found, but that defeats the purpose of having the cookie log in.
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby Kesstryl » Tue Jul 11, 2017 12:56 pm

I see what you are saying. Just concerned it's a security risk if a user is using the "remember me" to get back to the game.

Like I said, I can use @$_SERVER['HTTP_REFERER']; to eliminate the error notice altogether.
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby Kesstryl » Tue Jul 18, 2017 2:27 pm

I finally made a fork of the engine from the official one on Github. Here's the link:

https://github.com/Kesstryl/dragon-knight
User avatar
Kesstryl
 
Posts: 161
Joined: Sat Sep 22, 2012 12:27 am
Location: Gallifrey
Has thanked: 23 times
Been thanked: 1 time

Re: Updating Dragon Knight Engine

Postby hallsofvallhalla » Tue Jul 18, 2017 4:50 pm

congrats! Nice work!
User avatar
hallsofvallhalla
Site Admin
 
Posts: 11599
Images: 13
Joined: Wed Apr 22, 2009 6:29 pm
Location: mobile, al
Has thanked: 11 times
Been thanked: 127 times
Blog: View Blog (3)

PreviousNext

Return to Beginner Help and Support

Who is online

Users browsing this forum: No registered users and 1 guest

x