Username:    Password:        Click Here To Signup     Forgotten Password
Main Menu
Online
Members: 0

Guests: 25

164.132.x.x dilbertplus
164.132.x.x user
180.76.x.x lgsl
217.182.x.x forum
217.182.x.x forum
217.182.x.x forum
217.182.x.x forum
220.181.x.x forum
46.161.x.x forum
46.229.x.x forum
46.229.x.x forum
46.229.x.x forum
46.229.x.x dilbertplus
46.229.x.x forum
46.229.x.x forum
46.229.x.x forum
46.229.x.x dilbertplus
46.229.x.x forum
46.229.x.x forum
51.255.x.x guestbook
51.255.x.x forum
51.255.x.x forum
51.255.x.x lgsl
54.224.x.x forum
68.180.x.x forum

Last Seen

Dodgeitorelse Wed 21:14
adneycandy Mon 11:03
ESO2017 Fri 04:11
Marylee Jones Fri 02:36
Ericka Burke Fri 01:12

Newest Members

Forums
Richard Perry - GreyCube.com :: Forums :: Live Game Server List
Go to page   <<        >>     
Cool: Dynamic Server Image for LGSL
xMin
Fri Oct 07 2011, 11:06AM
Posts: 86
Joined: Fri Mar 04 2011, 08:41AM
Registered Member #6619
@lqlqlq

On all servers you don't see flags or on one specific server? My site is still in localhost and only the server with id 1 don't show country flag on banner but on server details it shows, and all other servers (id 2 , 3 , 4 ...) shows flag ok on banner.. I use 1.3 stable release of dsi (i will give a try to dsi 1.4-dev)..

edit: I did try with dsi 1.4-dev and still only the server with id 1 don't show country flag on banner, all other servers shows c flag ok.. I cannot say this is same for online lgsl because I don't have web for this and my gametracker is still in progress in localhost, but you can try with some online lgsl..
GasKa
Sun Oct 23 2011, 08:43AM
Posts: 2
Joined: Sun Oct 23 2011, 08:34AM
Registered Member #6971
Hello guys. How to make a LGSL which look good? What must contain? The images look good first. Thank's !

I love LGSL
Website
Mac[PLATOoN]
Mon Oct 24 2011, 07:13AM
Posts: 75
Joined: Sun Nov 21 2010, 09:37AM
Registered Member #6416
@NEW GT SOON
Have you tried to update country-flag database file? did u change ID 2 and ID 1? Maybe it is just because of IP can not translated to a special country... for me all is working as it should...

@GasKa
Easy: Content, and good pictures... maybe u need to do some work by urself to integrate LGSL perfectly into ur website design...

GasKa
Thu Oct 27 2011, 02:13PM
Posts: 2
Joined: Sun Oct 23 2011, 08:34AM
Registered Member #6971
@Mac[PLATOoN]: I understand. but I don't know how to set my lgsl_image look good .... if you can help me ... Give me a PM

P.S: You can make lgsl_image and images that look good?

I love LGSL
Website
MadMakz
Thu Dec 22 2011, 04:45AM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
1.5-dev out.

Check first post (red notice)

HF

Makz

SpiffyTek
Website
MadMakz
Sat Dec 24 2011, 08:37AM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
one more christmas present

tip now features a imagecache function, finaly fixing eventually "Waiting for query" stock image and reducing some load.

changeset/log: http://hg.cgx24.com/lgsl-dsi/changeset/tip/
changesets: http://hg.cgx24.com/lgsl-dsi/changesets/tip
download (tip aka. 1.6+): http://community.spiffytek.com/downloads.php?do=file&id=11 (pls always use the links over my site so i can track if my stuff is actively used and shall be kept somewhat up2date)

SpiffyTek
Website
mahomet91
Wed Dec 28 2011, 11:43AM
Posts: 20
Joined: Tue Aug 24 2010, 05:22PM
Registered Member #6243
Good job
Website
SKiLLeR
Fri Dec 30 2011, 04:25PM
Posts: 2
Joined: Fri Dec 30 2011, 02:41PM
Registered Member #7058
Hello, as many do not understand can you explain to me what should I do?

sorry for bad english
Website
MadMakz
Sat Feb 11 2012, 05:47PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
hey folks, i've recently done some updates to my sites and like to inform you that there's a public bug-/feature tracker now.
in short terms: you're no more enforced to register somewhere just to ask for an feature or report something.

althrough i'm still not really active on this DSi Mod agin, i'm still open for suggestions or fixing bugs. so if you have anything you want or report or contribute then http://community.spiffytek.com/project.php?projectid=1 is the right place for you.

but note: this is NOT ment for support questions like "how do i install this?"!!! for those you can either continue on this thread or go here (requires free registration!).

Sincerly,

Makz

SpiffyTek
Website
C0n
Sun Feb 12 2012, 08:15AM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
This is a brilliant addition to lgsl takes some time to setup and sort out but it is well worthit. Thanks for creating such a complicated feature <3

Althought it appears you lack security too -.-. Perhaps nobody seems to care on the importance of secure code ?

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
MadMakz
Sun Feb 12 2012, 12:38PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
if wanted i can add some validations to the GETs, althrough it won't do much if LGSL itself isn't secured in first place.

if you have any known security issues related to DSi alone, please file a bug report at http://community.spiffytek.com/project.php?projectid=1 with informations on how to reproduce, and flag it as "Private".

edit: the current dev code now contains a yet simple input validation.

SpiffyTek
Website
C0n
Sun Feb 12 2012, 04:10PM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
Well the fact that in your url's of GET and POST you do not strip out characters since all you are infact getting and posting is values ID's all numbers 0-9 so you should strip everything and only accept numbers.

If you dont think it is exploitable then allowing me to insert things like this lgsl_image.php?s='1 OR 1 etc and the image displays that same text backto me it is exploitable.

Try a couple of xss or SQL vulnerabilities on the url's / code itself and you will see what i mean.

What i suggest is just spend sometime testing it for weeknesses and exploits LGSL has only one place where users can edit / input data values and thats on the add a server page i have tested it and they strip out malicious characters they only accept 0-9, fullstops.

Example url's : (Does not mean these will work but there are many diffrent methods of hacking)
lgsl_image.php?s='
lgsl_image.php?s=~
lgsl_image.php?s=<script>
lgsl_image.php?s='1 OR 1
lgsl_image.php?s=DROP TABLE IF EXISTS lgsl


If the image reads the same text you input backto you then we know that the code is vulnerable.

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
MadMakz
Sun Feb 12 2012, 05:22PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
i didn't said there are none, i said i got no reports of any.

i could completely stripp down and validate an input but still return the value 1:1 back to the client without him knowing that the output was inernaly checked.

you say it's insecure, but can't prove it. that doesn't help anyone.

post/PM me an working example that actually manipulates or prints any sensitive data like altering the database or including an remote background or RFI in general to give access to lgsl_config.php for instance.

if you're still paranoid, then use the cleaninput() function i pushed out today (it's a standart feature now so you can just update to the latest commit).

and things like

'1 OR 1
DROP TABLE IF EXISTS lgsl

do not declare a hack. if a forum would declare such an input as hack i wouldn't be able to post this right now on any forum.
it's only a hack if it lets the script do something what it wasn't intended to do, like printing secret mysql credentials to the users screen without permission.

also, you can't "just use" an random exploit. especialy mysql exploits have to be written specificaly for an application.

however, with the recent changes so or so it should be secure.

SpiffyTek
Website
C0n
Sun Feb 12 2012, 06:38PM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
I did not say there was exploits withit but it does allow me to do some dodgy stuff such as inserting characters in the urls and displaying them to me when it should not.

In my opinion it should only accept numeric values since that is all it is calling for via the url's to define each server by its "ID".

But looking on your forum i don't see a update in the downloads section or perhaps you have not finished withit yet ?
http://community.spiffytek.com/downloads.php?do=cat&id=3

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
MadMakz
Sun Feb 12 2012, 06:48PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
i can't check for numeric unless i drop the domain support.

you can find the changes in the snapshot version.
http://community.spiffytek.com/downloads.php?do=file&id=11
this links always to the latest build.

SpiffyTek
Website
C0n
Sun Feb 12 2012, 06:48PM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
Also i seem to be having trouble displaying killing floor servers through the banner ?

It loads it through lgs_image.php?s=3

But as soon as you involve mod rewrite it wont display it... so strange.

Yet all the others seem to work.

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
MadMakz
Sun Feb 12 2012, 06:58PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
mhmm, indeed. i'll have a look at this by tomorrow.

edit: woops no. can't reproduce.

does it appear only with killingfloor or/and id 3?

if not you might need to set a rewritebase in the .htaccess (note that .htacess requires an apache based webserver)

SpiffyTek
Website
C0n
Sun Feb 12 2012, 07:12PM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
Well it is for id 3 for me... could be another reason im checking via servers that all contain the same ip but diffrent ports could be the problem.Theres about 3-4 of them with the same ip but diffrent ports.Also i dont know if anyone thought of this but what if you load up a server title or server name / player name through lgsl that is something like.

<script>alert('Dangerous+Oviously+LOL')%3B<%2Fscript>


I wounder how lgsl would react to loading a name or setting of a server / player that contained something like that.

I may be paranoid on security but better to be safe than sorry everyone.

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
MadMakz
Mon Feb 13 2012, 12:21PM

Posts: 163
Joined: Wed Sep 24 2008, 07:46AM
Registered Member #4406
C0n wrote ...

<script>alert('Dangerous+Oviously+LOL')%3B<%2Fscript>


that (js and HTML xss) would never be possible through the DSi script since DSi doesn't return any HTML/cleartext to the clients. you'd have to "break" DSi by includeing an PHP driven RFI/LFI first. wich however shouldn't be possible at all anymore with the new cleaninput() function as it removes any possibility of directory traversal or URL building (stripped back-/forwardslashes).

small update to the ruleset (more paranoid):
$remove = array("#\\\\+#", "#/+#", "#\\+#", "#\s+#", "#http+#", "#ftp+#", "#%00+#", "#\\0+#", "#\\x00+#", "#\(+#", "#\)+#", "#\{+#", "#\}+#");

edit: it's in the repo now



SpiffyTek
Website
C0n
Mon Feb 13 2012, 12:26PM
Posts: 33
Joined: Tue Nov 03 2009, 01:54AM
Registered Member #5538
Nice one MadMakz good to see someone who knows what there doing

I understand the seriousness and importance of security but im not blessed with a fine art of coding i only know of what i have searched, found and picked up on such as mysql real escapes, preg_replace, htmlentities etc.

This is a little oftopic but im curious as to why LGSL never had a search feature and why you dont become a dedicated developer to it ?

C0n

Live Steam Server List tracking over 1million servers http://www.steam-hacks.com/servers.html Listing more servers than gametracker and game-monitor
Website
Go to page   <<        >>   

Jump:     Back to top


You are not logged in - Click Here To Signup

Username:    Password:   

Mini Buttons

.... © GreyCube.com - Richard Perry - Powered by e107.org