What is going on with the link to the LEX? It shows a page spinning and some guy talking about nothing related to the LEX that I can tell.
Looks like someone ran some sort of exploit through the LEX's "News" feature today. I just disabled the "News" feature via the backend of the site, so the LEX should now be operational again. I will investigate further as to what all happened.
-Alex
Hi,
I just want to start off by saying that I'm extremely sorry for rendering the site unusable for a good hour. I can assure you that my intentions were completely white and I was pen testing the system out of bordem, and I was only trying to see exactly what the system would and would not allow me to do. I did want to clarify that while I publicly exploited the news function of the site. I was also able to exploit a few other things I'd like to point your attention too. In the hopes that you will fix :)
For starters, here's a spot I found where MySQL injection is potentially capable. Really simple fix. Don't use the mysqli library for PHP and instead switch to proper PDO. I haven't looked for any others. But this one was the first I spotted.
http://sc4devotion.com/csxlex/lex_filedesc.php?lotGET=%22
As well as that, your log file inside the /api/ endpoint is viewable.
I'm sure you are aware of how I did the exploit. But your textboxes currently don't strip and escape any user data. I don't even need to go into how dangerous this can be.
Again, I apologise and I hope you get these issues resolved :)
P.S I didn't even have to login to do this. 't2u_post.php' literally required no login credentials or a valid session. So i'm not sure how this didn't get exploited sooner.
Lewis, thank you for being transparent and honest about the situation, and for providing your findings. The fact that you did so is, at least as far as I'm concerned, apology enough, and I believe your intentions. Fortunately, it was easy enough for me to get the site operational again, once I became aware of the situation (and it pushed me to learn a little more PHP-related stuff in the process). (Also, this probably has to be in the running for most unusual first post on our forums.)
I've forwarded this info onto our staff board, where our (one and only) LEX developer should be able to see it readily. The SimCity 4 community is much more artistically inclined than technically, so while that's led to some pretty intense dust-ups with things like intellectual property and distribution permission, it's likely sheltered us from exploits and the like that tend to be more prevalent in other online gaming communities.
-Alex
24 hours later, the File Exchange seems to be down, still.
Or is it me only?
We are working on fixing the security concerns that Lewis Lancaster has raised before re-opening the LEX. The LEX has been temporarily disabled to ensure that further exploitation of these issues is not possible while we work on fixing it.
I hope LEX download will OK at last and make sure was more security just likes what happen on News topic which clicked into YouTube site? ()what() Look likes someone try to hacking this website... :crytissue:
Excuse me, how long will it take for LEX to reopen?
How long is a piece of string?
Seriously though, I appreciate that you would probably like to get access to the LEX, but as has already been explained, some code needs updating to ensure the LEX is safe for all. Given we have only one member who has the knowledge and access to fix such problems, it can't happen until they have time to instigate a fix. Knowing software development a little, a time-scale is pretty much impossible to provide until such point as you can make a full analysis of the problem. Even then, there is no guarantee the person in question can dedicate all the time to fixing it right there and then.
In-short, it'll be available again when it's ready. When that happens the site will make a small announcement. Until such times, we all have to be patient.
Just a few thoughts while we wait for the LEX to be bullet proofed.
1) It seems that Lewis knows a thing or 2 about servers, is he helping to secure the server?
2) Is it possible someone could set up an isolated remote system with a temp FTP server with the SC4 file data
base to keep the wolves at bay while work progresses on the LEX Mainframe security. Something with a basic
structure; Lots
Props
Textures
Maps
Mods
Just a simple list of files by name only with a download quota so everyone gets a chance to get needed files.
Quote from: martintallon on July 26, 2018, 04:52:11 PM
2) Is it possible someone could set up an isolated remote system with a temp FTP server with the SC4 file data
base to keep the wolves at bay while work progresses on the LEX Mainframe security. Something with a basic
structure; Lots
Props
Textures
Maps
Mods
Just a simple list of files by name only with a download quota so everyone gets a chance to get needed files.
The plan, as I understand it, is to phase the work, such that the basic and most essential features--login/registration and downloading--are back up and running first, before the rest of the LEX functionality is restored. We'd only start to look at having a "temporary LEX" like what you've described if the downtime looked to be particularly excessive, since there would be setup time involved there, too--we're dealing with an exchange with somewhere north of 3600 files. There are also some broader backend security upgrades we are looking at undertaking as part of the process, though we've encountered some technical difficulties with our webhost on that end, and getting the downloads accessible again is a higher priority, in any case.
As mgb mentioned, much like a NAM release, we have no real timetable at this point as to when we'll be able to re-open at least some of the LEX. All we can do is thank everyone for their patience and understanding while we work to restore that part of our site.
-Alex
I've just re-enabled the LEX. The following features have been reworked with much improved security and are now available again:
- Login/registration
- File upload
- Power search, lot lists (e.g. latest, most popular), lot table
- File details, download + dependency tracker
- Download history
- Password reset
- File editing
- User profile
Things that are currently disabled while we continue to work on them:
- LEX global comments
- Most admin features
Things that probably won't work correctly:
- Download later list
Because of the big amount of changes that needed to be made, there could still be some minor bugs - so let me know if you find any. Keep in mind that you should clear your cookies and HTTP caches to make sure that you have received the latest versions. You will also need to log in again.
Thanks CasperVg for fixing Lex website! Now with newest captcha mode - select any picture with required something, after select "I am not robot" first! :thumbsup: &apls
Why does LEX's power search can't be used?
Glad to see it back. Any chance of considering using HTTPS in the future, especially with the changes in Chrome 68?
Quote from: Tracker on July 27, 2018, 10:57:13 AM
Glad to see it back. Any chance of considering using HTTPS in the future, especially with the changes in Chrome 68?
Indeed, HTTPS would be a welcome addition both here and on the LEX. We are working on it, but there appear to be some hiccups with the shared web host right now, making it a bit more complicated than it should be.
Quote from: CasperVg on July 27, 2018, 12:01:06 AM
- File details, download + dependency tracker
Hello people. I'm very glad to see, that LEX start working again. But I have some problems with dependency tracker. When I try to check dependencies that are needed for some files - load dependency list goes endlessly and nothing happens.
(https://drive.google.com/open?id=1JF_lrVjxwAOTN_aDGFUs1NoU5DXn-yVR)
It's not working only for me or all users?
Quote from: ?????? ??????? on July 27, 2018, 11:42:19 AM
Quote from: CasperVg on July 27, 2018, 12:01:06 AM
- File details, download + dependency tracker
Hello people. I'm very glad to see, that LEX start working again. But I have some problems with dependency tracker. When I try to check dependencies that are needed for some files - load dependency list goes endlessly and nothing happens.
(https://drive.google.com/open?id=1JF_lrVjxwAOTN_aDGFUs1NoU5DXn-yVR)
It's not working only for me or all users?
Sorry, fixed. Was an issue that only appeared if you had at least one dependency that you didn't have yet - hence why I didn't notice it sooner. Thanks for the report :)
Quote from: CasperVg on July 27, 2018, 12:10:12 PM
Sorry, fixed. Was an issue that only appeared if you had at least one dependency that you didn't have yet - hence why I didn't notice it sooner. Thanks for the report :)
Oh)))) Thank U very match!)
CasperVg: I highly appreciate your work on the lex. Many thanks and not only mine.
Quote from: CasperVg on July 27, 2018, 11:06:28 AM
Quote from: Tracker on July 27, 2018, 10:57:13 AM
Glad to see it back. Any chance of considering using HTTPS in the future, especially with the changes in Chrome 68?
Indeed, HTTPS would be a welcome addition both here and on the LEX. We are working on it, but there appear to be some hiccups with the shared web host right now, making it a bit more complicated than it should be.
To add to Casper's response here, we are looking at moving to a new hosting company in the very near future, due to those hiccups (which involved a failed attempt on their part to do a fairly routine upgrade at the end of June). We have an SSL already, but aren't able to utilize it with our current software configuration. Once that move has been accomplished, we'll be able to get everything in place to switch over to HTTPS.
-Alex
Thanks to the Devotion team for fixing the problem quickly! :squirrel:
I was just made aware of this thread. While I'd realized the LEX was operational again, I was wondering about what had happened. Now I Know (and about "Exploits", which I didn't before) and thus can sleep easier. Somehow. :)
A big round of Thanks to the SCD Fixing Team !