MArcomage

Turns out I'm IP-banned for trying to improve the security of the site. Whoops. :(

Obviously getting around an IP ban is pretty trivial, but I can tell when I'm not wanted, so I don't think I'll be coming around much anymore. I had rather a lot of love for Marcomage, that scrappy little browser game that could, and I was always trying to do what I could to improve it: posting suggestions, helping new players, giving input on concepts and balance changes, and even writing a bit of code. I'm sorry it all had to come to such an ignominious end.

<3 always,
dindon

You should email umage about this. I'm afraid I can't help you in this situation.

Umage referred me to the administrator of netvor, who doesn't seem to want to unban me.

Sorry to hear that, but we don't own this server, so it's out of our hands :(

You and ultramage could email the guy as well and explain the situation. Besides what dindon did could improve the overall security of his own server

Umage referred me to the administrator of netvor, who doesn't seem to want to unban me.

Umage already did that, sadly, there is nothing more we can do.

[Moved from Off topic, wel all Support Dindon.]

Oteher server, too much hassle (if viable) for one player, but technically not 'nothing'.

Can you explain what happend in more detail?

Progressor wrote:
Can you explain what happend in more detail?

A few days ago, I was bored and thought I would poke around a bit with the site's code. I noticed that in at least one function, a string from a POST request was being used in a raw database query, without being escaped. Generally, this is a huge security gap, since it means a user can insert their own values to modify the query to do all kinds of nasty things (drop the users table, deleting every user on the site, set everyone's level to 0, set their own level to a million, whatever). I was curious if this particular function constituted a real security gap, so I started modifying the POST data in the requests I sent to the site (which sounds fancy, but it's not - it's really no different from, say, manually editing a URL).

So anyways, I tried a few things (nothing that would actually affect the site, just stuff that would give me an idea of what was possible). Turns out the vulnerability wasn't actually that big, since the PHP function they used to execute SQL queries prevents you from doing more than one query at once (so you can't insert arbitrary expressions by ending the query with a semicolon, like '";DROP TABLE users;--'). There was a very small, subtle trick you could use to modify the query so that it would (eventually) yield people's passwords (at least I think it would have worked - I never went past the first step), but even that wouldn't have been a huge security hole since they're stored in an encrypted form. (However, they're not salted, so there's still theoretically a potential security breach).

[By the way, I should point out that I'm really not anything close to being what you would call a 'hacker'. This was the first time I had ever attempted SQL injection; before then, it was something I had only read about or heard of in lectures. So, in addition to helping improve the site's security, there was also some aspect of excitement in trying out a real live SQL injection 'in the wild'.]

Anyways, at this point as I was just about to send Mojko an e-mail letting him know about the problem, I got a message from Umage, and was banned shortly thereafter.

I realize in retrospect that, as Umage told me, I should have at least sought permission from him or Mojko before poking around, since they had no way of knowing at the time that I wasn't an evil hacker. It was just a spur of the moment sort of thing. I guess I should have guessed that the admins would have it set up so that they get e-mail or something in response to internal server errors.

Man, I'd really hate to see you go if you've truly decided to stop playing. I consider a match against you to be among the greatest MArcomage challenges, no offense to other strong players. I can understand how all this would leave an ill taste in your mouth with regards to the experience as a whole, however. I just hope that, over time, you might be able to come back for an occasional match, and hopefully feel welcome again.

The administrator decided to ban you and not unban you based on the facts that
- you've been continuously doing sql injection attempts for ~2 hours
- the queries were aimed at obtaining data from the logins table
- you could have tested things locally instead of messing with a live production server

He does not believe your claims and has 'set the evil bit on your ip'. Not sure if the ban is on your reverse dns name or your ip. Despite the fact that you can circumvent the ban, it's there to teach you a lesson and make you think about yourself, or something like that.

It's unfortunate that you decided to experiment shortly after the administrator installed an intrusion detection system on the webserver, and weren't expecting that your activities would be recorded and reported immediately.

The admin would also probably have a more lenient and less paranoid response to your actions, hadn't there been a shell command injection breach two weeks ago (caused by me!), that resulted in the loss of data of multiple paying customers. So doing unannounced penetration testing was a poor choice in the wrong place at the wrong time.

Since the access restriction is on a level beyond my control and the admin doesn't seem to be willing to undo it any time soon, I can only suggest accessing through a proxy.

DPsycho wrote:
Man, I'd really hate to see you go if you've truly decided to stop playing. I consider a match against you to be among the greatest MArcomage challenges, no offense to other strong players. I can understand how all this would leave an ill taste in your mouth with regards to the experience as a whole, however. I just hope that, over time, you might be able to come back for an occasional match, and hopefully feel welcome again.

Aww, well thank you, that gives me the warm fuzzies.

I am moving in a couple months, and will then have a new IP address, so it's actually probable that I'll come back to the game then. I shouldn't be such a drama llama.

theultramage wrote:
He does not believe your claims and has 'set the evil bit on your ip'. Not sure if the ban is on your reverse dns name or your ip. Despite the fact that you can circumvent the ban, it's there to teach you a lesson and make you think about yourself, or something like that.

The only argument I could make to allay his doubt would be: why would someone who obviously loves the game (by virtue of being one of the most active players, both in terms of playing and posting on the message boards, as well having contributed a bit of code to the site), try to maliciously attack the site? There's nothing I'd like more than for Marcomage to grow and flourish and improve. I would think I've earned a bit of credibility after all these years. I guess if he's not directly involved in Marcomage, he wouldn't be aware of that though.

By the way, I don't actually know the difference between a reverse dns ban and an ip ban, but I did notice something funny: I have a Windows/Linux dual-boot, and while I get a 403 Forbidden when trying to access the site when I'm in Linux, if I boot into Windows, I can access the site just fine. Weirdness! Maybe I should just switch back to Windows... (No, I love Marcomage, but not enough for that.)