[PharaohsPaw]

Reporting this thread, so sourcemod plugin approvers can look at this and decide what to do with it.

kthxbai

[Obsidian]

I was actually hoping you would respond with a willingness to fix it and a request for help; I'd be more than happy to provide help with securing the application if you reconsider, or if someone else wishes to take it up. I know of the methodology to seal the problems listed, but I don't have the time to hammer it out and implement it myself; I have numerous other projects, classes to attend, exams to pass, and it's just not possible for me to do myself with a project without any source control or community contribution facilities in place.
That and I prefer to mentor so that someone else is able to increase their own skills; rather than provide code and have someone just blindly copy and paste it with the understanding of "it just works", it is far better that there is an understanding of what it does, why it does what it does, how it should be used, when it should be used.

The reason that I announced this publicly to begin with is that it's been proven, hiding the existence of a vulnerability doesn't work. Microsoft has proven this time and time again. Getting users off of insecure code or to implement countermeasures to prevent exploitation is crucial; otherwise, it's a race to fix the problem before an attacker discovers it, assuming it has not been discovered already and is being actively abused.

Again, if someone wants to pick up the plugin, let me know. If I'm available, I'm certainly willing to help and teach.

[cozmicshredder]

I been trying to get this to work not sure but thinking it's the newer version of PHP Version 5.3.5 I am using


Am getting this error with fresh install

Code:

Warning: mysql_connect() [function.mysql-connect]: php_network_getaddresses: getaddrinfo failed: No such host is known. in \adsql\include\database.php on line 20

Warning: mysql_connect() [function.mysql-connect]: [2002] php_network_getaddresses: getaddrinfo failed: No such host is kn (trying to connect via tcp://DB_SERVER:3306) in \adsql\include\database.php on line 20

Warning: mysql_connect() [function.mysql-connect]: php_network_getaddresses: getaddrinfo failed: No such host is known. in \adsql\include\database.php on line 20
php_network_getaddresses: getaddrinfo failed: No such host is known.

[PharaohsPaw]

Quote:

Originally Posted by Obsidian I was actually hoping you would respond with a willingness to fix it and a request for help; I'd be more than happy to provide help with securing the application if you reconsider, or if someone else wishes to take it up. I know of the methodology to seal the problems listed, but I don't have the time to hammer it out and implement it myself; I have numerous other projects, classes to attend, exams to pass, and it's just not possible for me to do myself with a project without any source control or community contribution facilities in place.

So in other words, you have time to criticize my work and talk about how superior your PHP skills are, but you're not actually going to DO anything unless somebody else is willing to be some kind of apprentice to you and be responsible for the work. And even then, IF you have the time.

wow. Just wow. What an ego you have.

The code isn't as bad and as obsolete as you claim it is, and it is a far cry better than it was before I proverbially "put my money where my mouth is" and started working on it. I spent quite a bit of time double-checking myself against online documentation of function calls at php.net as I worked on the updates I did to the web UI.

[PharaohsPaw]

Quote:

Originally Posted by cozmicshredder I been trying to get this to work not sure but thinking it's the newer version of PHP Version 5.3.5 I am using Am getting this error with fresh install Code: Warning: mysql_connect() [function.mysql-connect]: php_network_getaddresses: getaddrinfo failed: No such host is known. in \adsql\include\database.php on line 20 Warning: mysql_connect() [function.mysql-connect]: [2002] php_network_getaddresses: getaddrinfo failed: No such host is kn (trying to connect via tcp://DB_SERVER:3306) in \adsql\include\database.php on line 20 Warning: mysql_connect() [function.mysql-connect]: php_network_getaddresses: getaddrinfo failed: No such host is known. in \adsql\include\database.php on line 20 php_network_getaddresses: getaddrinfo failed: No such host is known.

It is far more likely that it is the hostname you are using for the database server in config.php.

Make sure whatever you have defined in config.php actually works (can be looked up properly) in DNS. Whatever DNS server(s) the webserver running the webUI is configured to use. If that is too much for you to figure out or research then just get the DB server's numeric IP and put that in your config.php (and your sourcemod databases.cfg file).

This is described in more detail in installation docs and troubleshooting faq's.

bai

[cozmicshredder]

YEah I tried every IP domain name you name it and it just will not work!

[Drixevel]

Can we calm down a bit in this thread? It seems to me it's just going downhill from here. If the WebUI has problems then make it private and only accessable via .htaccess or with your webhost. That way nobody can get into it and i'm not planning on making it public so it doesn't really matter to me.

Bottom line, quit fighting OVER A PLUGIN.

[Snaggle]

WebUI isn't a big issue, like r3dw3rw0lf said, just make it private. Do you really need more than 1 person adjusting ads? This plugin works great and is a nice tool!

[Obsidian]

You'll need to do more than that to protect yourself from some of the other kinds of exploits; just locking it down to your IP is not enough. Be sure to send the response header "X-Frame-Options: NONE" to prevent frame or iframe sploit (assuming you're running a modern browser, this will tell your browser to not allow the page to be loaded in a frame or iframe element), and you can also try checking the HTTP_REFERRER request header to try and deter CSRF-based attacks. It's not a perfect solution though, referrers can be faked readily, but it's better than nothing. The only real protection would be CSRF tokens in every form (with the value being unique to each page request, and being made invalid after a short period of time), but that would require a drastic overhaul.

The easiest way to secure it would be to deny access to the entire outside world, then render it only accessible through a localhost loopback -- this means the only way you can access it is if you use a ssh-tunneled connection into your server. It is not easy to setup, however, so be warned.

[Drixevel]

...or you can just add an .htaccess username and password, strip out the users system in the code and make it just an editor without the fancy user system or anything. That's what i'm doing and if anybody tries to put it into the browser or load it up as well as use a frame for it, it requires a password which i only know. If you make the password random then they wouldn't be able to brute force it AND not many people would know the exact folder you put it in on your webhost so they wouldn't know where it is. Just to screw with people, i host the advertisements for TG on my personal website and not on my main website so their looking in the wrong place.

Bottom line: You don't need to go that in-depth with it Obsidian in order to keep your shit protected.