| Welcome Guest | Login |
Index
| Recent Threads
| Register
| Search
| Help
| 
| View Unanswered Threads
|
 |
Forums » List all forums » Forum: Tips & Tricks, Questions & Answers » Thread: Pirate Commodity Trader... with Bleach! A new 3rd party tool |
|
Thread Status: Normal Total posts in this thread: 759
|
[Add To My Favorites] [Watch this Thread] [Post new Thread] |
| Author |
|
|
barlennan
|
To reiterate, we use no sites outside of pctb.crabdance.com and YPPedia. None. Any references to other sites is a problem, they are NOT intentional. And all we're doing with YPPedia is looking stuff up, no scripts or such. And I've dug through that part of the code _thoroughly_ at this point, so I'm very certain of this. |
|||
|
|
barlennan
|
Actually, I don't believe it's possible for this to be SQL injection. Those sorts of attacks mangle database contents and can stuff executable junk (js, php, etc) into database tables so the right queries can be forced to execute them... assuming things aren't quoted correctly. 1) The development system is running a newer version of mysql than production, which is more picky about quoting. We had to meet the more stringent requirements of dev to make it work at all. This eliminates most SQL injection vectors, because the injected junk will just get added to the database like any other data, which is harmless. 2) There is no place where what you type or put into a URL turns directly into a SQL statement other than SELECT. Lots of SELECTs, but to INSERT there's processing involved that would get very, very unhappy with random junk. 3) The actual bit of code that is getting stuffed in is appearing in index.php, not the database. As far as I can tell from the database dumps we did at one point, nothing is getting in there at all. It would be *really* obvious. And I'm really hoping I'm right. *crosses fingers* |
|||
|
|
KingOfZeal
Joined: Aug 19, 2004 Posts: 1152 Status: Offline |
Mostly correct, but just because there aren't any commands beyond SELECT doesn't mean that an injection couldn't mess things up -- ANY kind of manipulation, even queries, are subject; the injection would just terminate the current query and start a new one (for example, INSERT, DELETE or DROP). Also, and I don't know how, but I think there are ways to manipulate websites through SQL -- I think it has something to do with the fact that a connection is established from the website to the server, which you can then cross from SQL to Apache or whatever the case may be to manipulate things in there. Probably not right, but that's my best guess in any case. ---------------------------------------- Yamorg, Captain and Navigator Founder, Privately Funded Pirates Association© Midnight Ocean
|
|||
|
|
Harrlokk
Joined: Jun 22, 2004 Posts: 13 Status: Offline |
I've never done web stuff. Most of my code involved communicating from a workstation to the various back end systems. Getting approval responses for credit/debit cards was probably the worst since there was 5+ systems you had to go through. Throw in SOX, PCI, encryption, PAN and it gets worse. Anyway came across this link for how to hack apache through mysql. Doesn't mean I understand it though... :) http://www.dataloss.net/papers/how.defaced.apache.org.txt |
||
|
LJAmethyst
 Joined: Jul 19, 2007 Posts: 4140 Status: Offline |
 XKCD ---------------------------------------- Retired as of August 2015. Sic transit gloria mundi. |
||
|
|
barlennan
|
That's only a problem if you don't quote everything properly. Or, as Randal Monroe puts it, "sanitize your database inputs." ---------------------------------------- [Edit 1 times, last edit by barlennan at Mar 4, 2009 9:37:19 AM] |
|||
|
|
lesleywalker
Joined: Dec 24, 2006 Posts: 1186 Status: Offline |
A minor server-side issue, I don't think the server code has been updated since the cutter hold capacity was changed. Current capacities for a cutter are: Mass 40,500 Volume 60,750 ---------------------------------------- Rumbletum - FO, Crimson Sabers, Colbalt Cheery - Alchemist, Ankh-Morpork City Watch, Cobalt Jinxed Idol links |
||
|
|
KingOfZeal
Joined: Aug 19, 2004 Posts: 1152 Status: Offline |
I'll check the cutter information in the database manually. I should be able to change it without any problems. Meanwhile, I do regret to inform you that recently pctb.crabdance.com has been hit HARD with a hack. This is very different from the last few problems that have been reported -- it has propagated through to just about every page that I have looked at. While I wish I can say that I can clean this up quickly, it may or may not be possible, as I have a lot of things on my plate right now. Because of this, I have temporarily closed access to the main pctb.crabdance.com website, and have put a note saying such up in it's place. Most people will not be able to use PCTB through the web interface. However, the upload client WILL STILL WORK, and I have checked it thoroughly to ensure it is clean. Meanwhile, I am going to take steps that, until I feel this problem is completely clean, nobody can access the website, yet still allow the upload client to work. This problem should be resolved in a day or two, and I will post to that effect when it is. We are also looking into many possible solutions to the latest hackings of the site, but as of yet none of our solutions have succeeded. Thank you for your patience while we deal with this newest problem. ---------------------------------------- Yamorg, Captain and Navigator Founder, Privately Funded Pirates Association© Midnight Ocean
|
|||
|
|
maxdsterling
Joined: Jun 21, 2006 Posts: 170 Status: Offline |
Perhaps you should consider moving the site to a new service? Since I believe this would be the 2nd or 3rd time I've seen this site be compromised. It may also be a good time to start shuffling passwords (unless this hack got root access, then not even passwords will help). ---------------------------------------- Silverspoon Retired Senior Officer of The Eternal Hydrae Echidna's Children |
||
|
|
KingOfZeal
Joined: Aug 19, 2004 Posts: 1152 Status: Offline |
To be completely honest, this has happened a lot more than just the few times. When it had happened in the past, I was able to catch and fix it before anybody was able to notice; since I've started school again, though, my schedule has been a little off on being able to do that. To clarify, this isn't a problem with the host, and changing hosts won't fix the problem. I have been in contact with the host, to help get this sorted: he knows this has been a problem for some time, and has been helping in every way he can. I do know what the problem is now, and I am working on fixing it. I'll start working on cleaning the site now, and the next chance I get some free time (a lot of stuff needs to be cleaned). It should be all cleaned up by tonight, though, assuming all goes well. ---------------------------------- Edit: the problem has [finally] been identified and fixed. I was luck enough to convince the host to give me access to the daily backups of the site, and restored the site to it's state as of two days ago. Cleaned up the hacking that was made at that time (that was the easy one), and took a few other measures to prevent this from happening again. Hopefully it won't. However, if it does, the previous request that you let me know is still in place. The site is back up and working. And... I'll get that cutter thing fixed here right before I head off to work. ---------------------------------------- Yamorg, Captain and Navigator Founder, Privately Funded Pirates Association© Midnight Ocean
---------------------------------------- [Edit 3 times, last edit by KingOfZeal at Mar 6, 2009 9:23:57 AM] |
|||
|
Loren_S
 Joined: Mar 23, 2006 Posts: 656 Status: Offline |
The client does not upload empty markets. Currently Bassets@sage does not have any commodity trades availiable but this can't be updated. If a scan sucessfully gets an empty scan an upload should be possilbe (evtl. with an additional confirmation dialog9. ---------------------------------------- CoatOSilver, Captain of Forget About It, Retired King of ©©©, Sage |
||
|
|
barlennan
|
How does it fail? |
|||
|
|
fjc7
|
I have submitted a defect on this to the sourceforge project along with details. It looks like this will likely require fixes in both the client and server code. The upload client doesn't let the user upload "blank" data right now and also the server side does not appear to support it either (it wouldn't accept the blank data when I tried it after bypassing the client checks because there are no shops in the data and therefore it fails the test that compares against expected shops for that island). Thanks for reporting this. Yuhu on Sage |
||
|
|
sexysmurf
Joined: Jun 3, 2005 Posts: 64 Status: Offline |
I was just wondering if someone could update the Yppedia page? I know some people who are familiar with the tool but do not read forums and are not aware of all the changes that have been made. Also, the client still has the note about pressing ctrl-c to copy bid data even tho this is no longer needed. Just thought I'd mention it for removal from future releases to avoid confusion. ---------------------------------------- Candlewench SO The Order of the Phoenix Princess of Resurrection Cobalt ocean *************************** Awesome avatar by Orch |
||
|
|
barlennan
|
Two good points. The YPPedia page is updated now, and the change to get rid of the Ctrl-C message is sent off to KingOfZeal so he can put it into production. |
|||
|
|
KingOfZeal
Joined: Aug 19, 2004 Posts: 1152 Status: Offline |
All taken care of. I don't know what happened earlier, but somehow we lost the headers on the main page (with links to summary, commodities, route, etc), so had to take care of that before I could do the fix. It's all settled now though. ---------------------------------------- Yamorg, Captain and Navigator Founder, Privately Funded Pirates Association© Midnight Ocean
|
|||||
|
|
barlennan
|
That happens to me when I forget to allow JS for crabdance.com. I suppose if you were to remove the JS init lines from the index.html it would cause that, too. |
|||
|
|
KingOfZeal
Joined: Aug 19, 2004 Posts: 1152 Status: Offline |
I do know about that, but I don't know how they got removed -- I looked at the main index page and it was all there, and double checked my browser as well to make sure it wasn't being blocked; it was pulling up an element of about:blocked though, so I rolled back the server to this morning on the safe side, and that seemed to fix things. ---------------------------------------- Yamorg, Captain and Navigator Founder, Privately Funded Pirates Association© Midnight Ocean
|
|||||
|
|
BehindCurtai
Joined: May 25, 2004 Posts: 12589 Status: Offline |
Are the uploaded data sets themselves small enough that you can keep them around for datamining? If you cannot keep all of them, can you at least keep one per island per day? ---------------------------------------- "We're trying to find the error bars on that number"
|
|||
|
|
BehindCurtai
Joined: May 25, 2004 Posts: 12589 Status: Offline |
Lets say I can give you a filename that holds a live tiff view of the java window (will be different each time, from deep inside /proc -- give me an open dialog and you're good), or a filename with a live tiff view of the screen (constant all the time). What else would you need? ---------------------------------------- "We're trying to find the error bars on that number"
|
|||||
|
|
fjc7
|
Interesting idea. How would we auto-scroll the market area (scroll bar)? Yuhu on Sage |
||
|
|
barlennan
|
I have every intention of going there. The live data for everything is less than 10Mb. I'm not sure what sort of quota we've got in production, but worst case I might be able to replicate things off somewhere else. Maybe V6... more likely this is a V7 feature. |
|||
|
|
LJAmethyst
Joined: Jul 19, 2007 Posts: 4140 Status: Offline |
But the OCR program also needs control of the mouse pointer to scroll the market window down as it captures the screen. So just reading the window isn't enough :-( EDIT: sniped because I didn't read all the posts ---------------------------------------- Retired as of August 2015. Sic transit gloria mundi. ---------------------------------------- [Edit 1 times, last edit by LJAmethyst at Mar 9, 2009 10:11:37 PM] |
||
|
|
barlennan
|
It would be done somewhat differently. XQueryTree to find the window, XWarpPointer to move the mouse, XGetInputFocus (and XSetInputFocus) to pass around who receives keyboard input, some combination of XQueryPointer and XTranslateCoordinates to figure out where you are in a window and translate that into your own coordinate system, XRaiseWindow to move a window to the top (which is what I assume SetForegroundWindow does), etc. However, this is definitely the HARD way to do it. There are toolkits such as 'Escher', which is an X library set written in java that would make this much simpler. I assume there are better choices than that, I found it in <15 seconds of googling. Basically, windows under unix/linux aren't protected from each other in any way beyond complexity. You can grab the list of windows on the desktop, grab a handle to whichever you want, and start manipulating it any way you like. It may be easiest to grab the image of the window out of /proc, but other than that you use X calls to get the job done. |
|||
|
|
fjc7
|
I'm installing a linux virtual machine now to do some experimenting. The general approach I'm going to try is to run the client under mono and just replace the windows api calls somehow. Yuhu on Sage |
||
|
|
lesleywalker
Joined: Dec 24, 2006 Posts: 1186 Status: Offline |
I just got this error message about 5 minutes ago: There was a database error. Please report what you were doing on the forums, and refer to error number 308886 I was attempting to upload market data from Harmattan (Cobalt), but had not got as far as confirming the ocean/island name. I closed the client and re-opened it, and it worked after I had done that. ---------------------------------------- Rumbletum - FO, Crimson Sabers, Colbalt Cheery - Alchemist, Ankh-Morpork City Watch, Cobalt Jinxed Idol links |
||
|
|
maxdsterling
Joined: Jun 21, 2006 Posts: 170 Status: Offline |
If you figure that out, I'd like to know how too, Quatermaster could use a 'nix port, and the api calls are the biggest sticking point. ---------------------------------------- Silverspoon Retired Senior Officer of The Eternal Hydrae Echidna's Children |
|||
|
|
fjc7
|
Ok, I'll let you know. So far I've been able to get the GUI for the ocr client up and running on linux (no scanning yet though). It did not work with Ubuntu with mono 1.9 on it. I'm now using the openSuse VMWare image with mono 2.2 from the mono website and that is working much better so far. I haven't tried replacing any windows api calls yet, that is the next step. Yuhu on Sage |
||
|
|
fjc7
|
It looks like the font used for market data when running on linux is different than when running on windows. Does anyone know if there is an easy way to change the font to Ariel 9 (same as what is used in Puzzle Pirates on windows)? I already tried changing the font in the Appearance settings in Linux to Ariel 9 and that didn't work. I'd also be interested in knowing what font and size are used for market data when running on other platforms that support X Windows (especially Mac). Edit: For Linux I'm running openSUSE in case that matters. Yuhu on Sage ---------------------------------------- [Edit 1 times, last edit by fjc7 at Mar 14, 2009 8:36:16 PM] |
||
|
|
skiffygrrl
Joined: Mar 11, 2006 Posts: 353 Status: Offline |
Arial is Windows-specific (True-Type Font), one of Microsoft's attempts to get their user base away from the generic universal fonts. Its closest equivalents on other platforoms are Helvetica and Verdana. If there's a way to check with the Mac or Linux clients of YPP on what those use, it might be worth a try. ---------------------------------------- Adrianalidah and variants everywhere Gwynhwyfahr in a few places Current avatar courtesy of a game glitch, Halloween 2008 |
||
|
|
[Show Printable Version of Thread] [Post new Thread] |
Powered by mvnForum
mvnForum copyright © 2002-2006 by MyVietnam.net