Bugs

Archived Posts from this Category

Tue 16 Oct 2007

Damn bugs with that fancy mod_rewrite

Posted by drawgas under Bugs , Development
[3] Comments 

A mysterious bug was found in our system while trying to create new static page. The problem is, that the page does not show up and give a 404 (Not Found) error, however it is properly saved in the system. Skyruler was looking for a solution this weekend, but every time he thought he has fixed that - he was wrong.
The good news is, that Mad For Speed is not the most recent version of the system, meaning, that we are not working on Mad For Speed directly. We have a separate test page so you get as less bugs and errors seen as possible. And this problem does not show up in that version, so we’ll have to be patient and wait without creating new static information pages until we get that version ready to be transfered to Mad For Speed.

P.S. No, we are not sleeping :P We are working at this project. Don’t worry, it is not dead!
Wait for new updates ;)

 

Thu 28 Sep 2006

Cross Site Scripting (XSS) bug when using PHP_SELF

Posted by drawgas under Bugs , Development
No Comments 

Today I ran a security check again after all the work we have done to the game core. I was very happy to see that most of the security issues were gone, but one high level threat was found!
The bug is called: “Cross Site Scripting in URI”. The problem was hidden deep in the code - one global variable was used without checking it for potential threats and wihout cleaning it.
The variable, I talk about, is $_SERVER[’PHP_SELF’]. The most simple example of using this vulnerability was this:
If you type:
http://www.madforspeed.com/index.php/>’><script><alert (”bug”)</script> ,
the main page whould open and a JavaScript alert would show a message: “bug”.
Strange that I haven’t found this bug last time I was checking the game. But it is now fixed! Few more bigger updates to the game core and I’ll do the check again.
See you then

 

Sat 19 Aug 2006

Stupid bugs

Posted by drawgas under Bugs , Development
No Comments 

What a terrible weather today.
“Maybe I’ll check the code for bugs” - i thought.
I did.. Used some software to speedup the process and what do you think? We were so stupid to leave Cookies without any checks. There were several security vulnerabilities through language, visitor and theme cookies. Most of them: remote include or XSS (cross-site scripting) and some SQL injections.
So I sit back, got myself some mineral water (yes yes, mineral, not beer :P ) and fixed all of them. Now there is a check and a clean-up. The rest of the main page looks secure enought for now. Some seriuos checks will be done after the rewrite of the code to OOP (object oriented programming) style.