Mysidia Adoptables Support Forum

Mysidia Adoptables Support Forum (http://www.mysidiaadoptables.com/forum/index.php)
-   Mysidia Adoptables Official Announcement (http://www.mysidiaadoptables.com/forum/forumdisplay.php?f=2)
-   -   Mysidia Adoptables v1.2.3[Security Release] (http://www.mysidiaadoptables.com/forum/showthread.php?t=2352)

Hall of Famer 08-28-2011 03:44 AM

Mysidia Adoptables v1.2.3[Security Release]
 
It is finally time for another security release of Mys v1.2.x series, after we've been devoting to the development of Mys v1.3.0. Since Mys v1.3.0 will still take a while to be available for public, I feel necessary to release Mys v1.2.3 to fix some security issues especially after a user called Tony brought it up to me. So technically, Mys v1.2.3 is the first true definition of a security release, the new features from this security release are:

1. Secure hash functions: The new user passwords are encrypted with 128 characters hash instead of 32 characters, joined with pepper(hard-coded) and salt(user-defined). This pretty much makes your site unhackable against most hackers. Cant do anything about professionals who break into government sites easily though.
2. Password Encryption Wizard: Since the new password hash is quite different from old md5 method used, you will need to run user password encryption wizard to update your passwords after installing/updating Mys v1.2.3. You wont be able to login without doing this.
3. Script Optimization: We manage to fix many script flaws in old Rusnak Adoptables script as I took over from BMR, good examples are while loop running only once, and mysql_num_row usage.
4. Registration Questions: Starting from Mys v1.2.3 admins can set registration questions to prevent bots from registering. We planned to use recaptcha before, but it is too complicated to install as it requires every user to manually modify her script files after going to recaptcha's official site to get the so-called Key.
5. Random Levelup Money: In Mys v1.1.x, users can gain random money from a range of minimum and maximum values for clicking pets. This feature was somehow removed from Mys v1.2.0 to v1.2.2, but it is now back again. The correct format is "minimum" , "maximum", and a random number will be generated from these two.
6. Miscellaneous Bug Fixes: We also fix a few bugs present in Mys v1.2.2, an infamous example is the donation glitch, from which users can donate negative amount to steal money. This is not possible now, as negative number will be automatically translated into their corresponding absolute value.


Installation Guide:

1. Use ftp to Upload the folder "installation" to your preferred directory, and change the name from "installation" to whatever you like.
2. Change the CMD of folder "picuploads" to 777, together with its subfolders, this is required to enable user uploading images.
3. Access the installer script at "http://yoursitename.com/install/install.php", follow the instructions and proceed.
4. Important: After installation is completed, run the script admin password encryption wizard at "http://yoursitename.com/adminencrypt.php" to encrypt your password before logging in.

Note: The value salt code can be generated from a website called: http://strongpasswordgenerator.com/, it can be of any length. Make sure to delete the file adminencrypt.php after running this script, or you will have to reset your password manually.


Upgrade Guide:
1. Use ftp to Upload every file within the folder "upgrade" to your Mys directory, choose yes when it asks you to rewrite existing files.
2. Access the upgrader script at "http://yoursitename.com/install/upgrade.php", follow the instructions and proceed.
3. Important: After Upgrade is completed, run the script User password encryption wizard at "http://yoursitename.com/userencrypt.php" to encrypt your users' passwords.

Note:The size of column "password" in table prefix.users is now varchar(200) instead of carchar(100), its recommended for you to doublecheck this before updating user passwords. Also removing userencrypt.php after running this script is recommended. To change the salt value, just edit the upgrade.php itself and find the corresponding default value. Replace it with whatever you want.


I am sorry Mysidia Adoptables have not been productive since the beginning of summer, after the release of Mys v1.2.2. The development of Mys v1.3.0 is still our top priority, but there is a chance that a few security releases for Mys v1.2.x series will be available before official release of Mys v1.3.0. I will let you guys/gals know whenever possible.

To download Mysidia Adoptables v1.2.3, please go to the following links below. I've uploaded both a .rar and .zip format file.

Mysidia Adoptables version 1.2.3, rar file:
http://www.megaupload.com/?d=KR3U1YXO
Mysidia Adoptables version 1.2.3, zip file:
http://www.megaupload.com/?d=JCK0NJSD

Hall of Famer

ipengu 08-28-2011 03:58 AM

The htaccess file in both folders is incorrect. You saved it as 'htaccess.txt' should be '.htaccess'

Hall of Famer 08-28-2011 04:06 AM

I see, thanks for bringing it up to me. It was another flaw in the old Rusnak Adoptables that we never paid attention to fixing, I am sorry. The file has been reuploaded, enjoy!

ipengu 08-28-2011 04:13 AM

Yea just noticed it was not fixed in even 1.2.2, Guess I never noticed since I uploaded my own anyways.

Hall of Famer 08-28-2011 04:18 AM

Quote:

Originally Posted by ipengu (Post 18248)
Yea just noticed it was not fixed in even 1.2.2, Guess I never noticed since I uploaded my own anyways.

Well yeah, its hard to keep track with all script flaws made by BMR, we fix it whenever we find anything. I still hold BMR to high regard when it comes to PHP coding though, I am assuming he made the original script at a time when he was still learning PHP. The first release of RA v1.0.0 was in like late 2008 or early 2009, so it makes sense.

So if you spot more issues like this one, notice me quickly so I will fix them in Mys v1.2.4 and future releases. We plan to resolve all flaws with Mys v1.3.0 stable release, or at least most.

ipengu 08-28-2011 04:22 AM

No one is perfect and it sometimes takes an outside look to notice something. I'll let you know of anything I find gonna take me a few hours to upgrade script

Hall of Famer 08-28-2011 04:31 AM

umm a few hours? I am assuming that you have modified your scripts thoroughly since you got it in the first place? If so, I wish you good luck. There are two hash functions that I defined in functions.php. passencr($username, $password) is used to encrypt new user passwords, while updatepass($username, $password) is for encrypting existing user passwords. The difference is that the latter receives a string that was already MD5'd, as you may have noticed from Mys v1.2.2.

ipengu 08-28-2011 04:38 AM

I only had 2 files that were in upgrade folder that I had not done mods to. lol

Using the best feature ever to speed up a little bit. Compare two files using Notepad++

Tony 08-28-2011 05:29 PM

Outstanding password encryption! This is exactly what I wanted to see. I'm very proud of you and your staff for taking it upon yourselves to fix bugs and actually release patches and content updates!

Hall of Famer 08-28-2011 05:35 PM

Thanks a lot Tony. The difficulty here is to update user password to more secured version without forcing each of them to have to change their password after upgrading to Mys v1.2.3. I am glad I eventually found a way to do that, simply further encrypt user password based on what it already is with md5 string.

In recent fute we will try to apply a better cookie saving approach, and perhaps un-register $Globals if we find another way to easily load database info such as user's money. We look to fix all potential security issues prior to an official Mys v1.3.0 release.


All times are GMT -5. The time now is 07:01 AM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.