Fixing Backdoor Hack

ID:157759
 
Jan 5 2010, 12:13 pm
using href for ban/mute next to messages in output reveals an Admin's Memory ID, and allows players to input that command to force the admin to use the mute/ban/whatever.

Would adding a check for GM to src fix this? How do I fix it? I've never seen anything like this in my life. Thanks.

(IE ?src[F0001X] action1=Mute,Action2= Player Name)
Jan 5 2010, 12:24 pm
Instead of using the admin as the src ref, you should be using the target of the command, that way you can validate the person clicking the link.

// So you do something like

<a href="?src=\ref[target]&mode=admin&action=mute">Mute</a>

// And inside of Topic() you do this.

mob/Topic(href,href_list[])
    if(href_list["mode"] == "admin")
        if(usr in admin_list) // Note that usr here is the person clicking the link, src is the target.
            if(href_list["action"] == "mute")
                src << "You have been muted!"
        else
            usr << "Only admins can do that."


Please note, this is an EXAMPLE, I leave it to you to adapt this to your needs.
Jan 5 2010, 12:46 pm
In response to Nadrew
Nadrew wrote:
Instead of using the admin as the src ref, you should be using the target of the command, that way you can validate the person clicking the link.

> // So you do something like
> 
> <a href="?src=\ref[target]&mode=admin&action=mute">Mute</a>
> 
> // And inside of Topic() you do this.
> 
> mob/Topic(href,href_list[])
>     if(href_list["mode"] == "admin")
>         if(usr in admin_list) // Note that usr here is the person clicking the link, src is the target.
>             if(href_list["action"] == "mute")
>                 src << "You have been muted!"
>         else
>             usr << "Only admins can do that."
>

Please note, this is an EXAMPLE, I leave it to you to adapt this to your needs.

Thank you. That sure kills a lot of my worries.