• Welcome to SC4 Devotion Forum Archives.

LEX Problem

Started by deanva, July 23, 2018, 04:01:32 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

deanva

What is going on with the link to the LEX? It shows a page spinning and some guy talking about nothing related to the LEX that I can tell.

Tarkus

Looks like someone ran some sort of exploit through the LEX's "News" feature today.  I just disabled the "News" feature via the backend of the site, so the LEX should now be operational again.  I will investigate further as to what all happened.

-Alex

Lewis Lancaster

#2
Hi,

I just want to start off by saying that I'm extremely sorry for rendering the site unusable for a good hour. I can assure you that my intentions were completely white and I was pen testing the system out of bordem, and I was only trying to see exactly what the system would and would not allow me to do. I did want to clarify that while I publicly exploited the news function of the site. I was also able to exploit a few other things I'd like to point your attention too. In the hopes that you will fix  :) 

For starters, here's a spot I found where MySQL injection is potentially capable. Really simple fix. Don't use the mysqli library for PHP and instead switch to proper PDO. I haven't looked for any others. But this one was the first I spotted.

http://sc4devotion.com/csxlex/lex_filedesc.php?lotGET=%22

As well as that, your log file inside the /api/ endpoint is viewable.

I'm sure you are aware of how I did the exploit. But your textboxes currently don't strip and escape any user data. I don't even need to go into how dangerous this can be.

Again, I apologise and I hope you get these issues resolved :)

P.S I didn't even have to login to do this. 't2u_post.php' literally required no login credentials or a valid session. So i'm not sure how this didn't get exploited sooner.

Tarkus

#3
Lewis, thank you for being transparent and honest about the situation, and for providing your findings.  The fact that you did so is, at least as far as I'm concerned, apology enough, and I believe your intentions.  Fortunately, it was easy enough for me to get the site operational again, once I became aware of the situation (and it pushed me to learn a little more PHP-related stuff in the process).  (Also, this probably has to be in the running for most unusual first post on our forums.)

I've forwarded this info onto our staff board, where our (one and only) LEX developer should be able to see it readily.  The SimCity 4 community is much more artistically inclined than technically, so while that's led to some pretty intense dust-ups with things like intellectual property and distribution permission, it's likely sheltered us from exploits and the like that tend to be more prevalent in other online gaming communities.

-Alex

huzman

24 hours later, the File Exchange seems to be down, still.
Or is it me only?
« Essayez d'apprendre quelque chose sur tout et tout sur quelque chose. »
             « Try to learn something about everything and everything about something »
                          « Trata de aprender algo sobre todo y todo sobre algo »
                                                                                                    — Thomas Henry Huxley

CasperVg

We are working on fixing the security concerns that Lewis Lancaster has raised before re-opening the LEX. The LEX has been temporarily disabled to ensure that further exploitation of these issues is not possible while we work on fixing it.
Follow my SimCity 4 Let's play on YouTube

AsimPika3172

I hope LEX download will OK at last and make sure was more security just likes what happen on News topic which clicked into YouTube site?  ()what() Look likes someone try to hacking this website...  :crytissue:
I loves Sim City forever!

7096371

Excuse me, how long will it take for LEX to reopen?

mgb204

How long is a piece of string?

Seriously though, I appreciate that you would probably like to get access to the LEX, but as has already been explained, some code needs updating to ensure the LEX is safe for all. Given we have only one member who has the knowledge and access to fix such problems, it can't happen until they have time to instigate a fix. Knowing software development a little, a time-scale is pretty much impossible to provide until such point as you can make a full analysis of the problem. Even then, there is no guarantee the person in question can dedicate all the time to fixing it right there and then.

In-short, it'll be available again when it's ready. When that happens the site will make a small announcement. Until such times, we all have to be patient.

martintallon

Just a few thoughts while we wait for the LEX to be bullet proofed.
1) It seems that Lewis knows a thing or 2 about servers, is he helping to secure the server?
2) Is it possible someone could set up an isolated remote system with a temp FTP server with the SC4 file data
     base to keep the wolves at bay while work progresses on the LEX Mainframe security. Something with a basic
     structure;   Lots
                      Props
                      Textures
                      Maps
                      Mods
  Just a simple list of files by name only with a download quota so everyone gets a chance to get needed files.
From the book "Footfall"
Necessity isn't the mother of invention, the scifi writer is. Someone reads a book and says I can make that work and they do it.

Tarkus

Quote from: martintallon on July 26, 2018, 04:52:11 PM
2) Is it possible someone could set up an isolated remote system with a temp FTP server with the SC4 file data
     base to keep the wolves at bay while work progresses on the LEX Mainframe security. Something with a basic
     structure;   Lots
                      Props
                      Textures
                      Maps
                      Mods
  Just a simple list of files by name only with a download quota so everyone gets a chance to get needed files.

The plan, as I understand it, is to phase the work, such that the basic and most essential features--login/registration and downloading--are back up and running first, before the rest of the LEX functionality is restored.  We'd only start to look at having a "temporary LEX" like what you've described if the downtime looked to be particularly excessive, since there would be setup time involved there, too--we're dealing with an exchange with somewhere north of 3600 files.  There are also some broader backend security upgrades we are looking at undertaking as part of the process, though we've encountered some technical difficulties with our webhost on that end, and getting the downloads accessible again is a higher priority, in any case.

As mgb mentioned, much like a NAM release, we have no real timetable at this point as to when we'll be able to re-open at least some of the LEX.  All we can do is thank everyone for their patience and understanding while we work to restore that part of our site.

-Alex

CasperVg

#11
I've just re-enabled the LEX. The following features have been reworked with much improved security and are now available again:

- Login/registration
- File upload
- Power search, lot lists (e.g. latest, most popular), lot table
- File details, download + dependency tracker
- Download history
- Password reset
- File editing
- User profile

Things that are currently disabled while we continue to work on them:
- LEX global comments
- Most admin features

Things that probably won't work correctly:
- Download later list


Because of the big amount of changes that needed to be made, there could still be some minor bugs - so let me know if you find any. Keep in mind that you should clear your cookies and HTTP caches to make sure that you have received the latest versions. You will also need to log in again.
Follow my SimCity 4 Let's play on YouTube

AsimPika3172

Thanks CasperVg for fixing Lex website! Now with newest captcha mode - select any picture with required something, after select "I am not robot" first!  :thumbsup: &apls
I loves Sim City forever!

7096371

Why does LEX's power search can't be used?

Ramona Brie

Glad to see it back. Any chance of considering using HTTPS in the future, especially with the changes in Chrome 68?

CasperVg

Quote from: Tracker on July 27, 2018, 10:57:13 AM
Glad to see it back. Any chance of considering using HTTPS in the future, especially with the changes in Chrome 68?

Indeed, HTTPS would be a welcome addition both here and on the LEX. We are working on it, but there appear to be some hiccups with the shared web host right now, making it a bit more complicated than it should be.
Follow my SimCity 4 Let's play on YouTube

?????? ???????

Quote from: CasperVg on July 27, 2018, 12:01:06 AM
- File details, download + dependency tracker

Hello people. I'm very glad to see, that LEX start working again. But I have some problems with dependency tracker. When I try to check dependencies that are needed for some files - load dependency list goes endlessly and nothing happens.

It's not working only for me or all users?

CasperVg

Quote from: ?????? ??????? on July 27, 2018, 11:42:19 AM
Quote from: CasperVg on July 27, 2018, 12:01:06 AM
- File details, download + dependency tracker

Hello people. I'm very glad to see, that LEX start working again. But I have some problems with dependency tracker. When I try to check dependencies that are needed for some files - load dependency list goes endlessly and nothing happens.

It's not working only for me or all users?

Sorry, fixed. Was an issue that only appeared if you had at least one dependency that you didn't have yet - hence why I didn't notice it sooner. Thanks for the report :)
Follow my SimCity 4 Let's play on YouTube

?????? ???????

Quote from: CasperVg on July 27, 2018, 12:10:12 PM
Sorry, fixed. Was an issue that only appeared if you had at least one dependency that you didn't have yet - hence why I didn't notice it sooner. Thanks for the report :)
Oh)))) Thank U very match!)

huzman

CasperVg: I highly appreciate your work on the lex. Many thanks and not only mine.
« Essayez d'apprendre quelque chose sur tout et tout sur quelque chose. »
             « Try to learn something about everything and everything about something »
                          « Trata de aprender algo sobre todo y todo sobre algo »
                                                                                                    — Thomas Henry Huxley