Jump to content

RSOF link problems

qeltar

By qeltar
in Forum Updates and Suggestions

 Share

Recommended Posts

qeltar

qeltar

Posted
Posted

As some may know, the crude software used for the RSOF puts session identifier information right in the URLs. As a result, if anyone who is logged in posts a URL to another forum without changing it, anyone who clicks that link will automatically become logged in as that person.

 

 

 

Someone on my forum had his account banned from the forums after this happened, so I cobbled together a very quick and simple code change that blocks it. If anyone here is interested, PM me and I'll tell you how to implement it here (since we're using the same boardware.) It's very simple and easy to see that it's safe.

Qeltar, aka Charles Kozierok

Webmaster, RuneScoop - Premium RuneScape Information for Expert Players -- Now Free!

Featuring the Ultimate Guide to Dungeoneering -- everything you need to know to get the most of the new skill!

signew2.png

Link to comment
Share on other sites
Cruiser

Cruiser

Posted
Posted

I implemented a regex block for this on our IRC server quite a long time ago and completely forgot to pass on the need for this to Albosky. #-o He probably won't need the code but it's very good that you brought this up.

 

 

 

Jagex needs to fix that damn hole too. It's present in all their 'secure' login areas and has been for years on end now even after I've sent in multiple bug reports about it. :evil:

Link to comment
Share on other sites
Jordanweb

Jordanweb

Posted
Posted
Jagex needs to fix that damn hole too. It's present in all their 'secure' login areas and has been for years on end now even after I've sent in multiple bug reports about it. :evil:

 

 

 

It's funny because an ip-address check would only take an extra field in their session database and a few simple lines of code, something that would take any experienced coder less than 30 minutes.

Link to comment
Share on other sites
Dragontotem

Dragontotem

Posted
Posted
Jagex needs to fix that damn hole too. It's present in all their 'secure' login areas and has been for years on end now even after I've sent in multiple bug reports about it. :evil:

 

 

 

It's funny because an ip-address check would only take an extra field in their session database and a few simple lines of code, something that would take any experienced coder less than 30 minutes.

 

 

 

doesn't even have to be experienced coder, as even i can do that :D

 

and yes, i suck O_O

[/url]">i_had_a_deal.png
[4Th in Finland to achieve 99 mining. 3Rd of June 2007]


Pixels make me horny.

Link to comment
Share on other sites
darkblade986

darkblade986

Posted
Posted

I'm guessing that it's probably just a lazy shot on their part. People aren't supposed to see the specific link available. Now then, thanks to the miracles of Firefox, I can see the source code for the website, and the very first bulk of code I noticed included a Javascript line...

 

 

 

if(self.location.href.indexOf("/de/")!=-1 || self.location.href=="http://www.runescape.de") top.location.href="http://www.runescape.com/lang/de/";

   else top.location.href="http://www.runescape.com";

 

 

 

Now I may not be a coder, but I do know that when I turn off Javascript, then I can see the links just fine. So my guess is that this little bulk of code right here is the one that resets the link to Runescape.com (or .../lang/de/ for the German version) regardless of where you go (note that I pulled this code from the High Scores table). It probably goes along the lines of the following, where my rough translation of it is in the brackets.

 

 

 

if(self.location.href.indexOf("/de/")!=-1 || [if own link does does not equal (-1)...]

self.location.href=="http://www.runescape.de") [this]

top.location.href="http://www.runescape.com/lang/de/"; [or this]

   else top.location.href="http://www.runescape.com"; [make it this]

f475e02ecc.png

don't worry, you are going to "hell" anyway. wanna race to see who gets there first?

Officially reached 100 Combat at 1:33PM EST, June 14, 2007

First Dragon Drop: Dragon Chain (Dust Devils) @ 10:48PM EST, July 14, 2008, lv113 combat

Link to comment
Share on other sites
Errdoth

Errdoth

Posted
Posted

I always remember being told never to pass the session identifier through the url for secure pages :-s

 

Couldn't they just pass it through the superglobal or its equivalent in their scripting language? Unless you're not taking the cookies, then you'd have to go with the ip check.

 

 

 

Oh, and darkblade, that looks like something to redirect you to their german page, I don't think it'd do anything else.

6.png

Last.fm Signature Overlays

Link to comment
Share on other sites
Cruiser

Cruiser

Posted
Posted
I have just informed Jagex of the issue, and I am sure they will investigate.

 

 

 

Thanks for bringing it up.... sounds nasty.

 

Yeah, good luck with that, I've been telling them about this for 3+ years now. I seriously doubt they care. I've sent bug reports, I've talked to the Pmod curators. Nothing changes.

 

 

 

I'm guessing that it's probably just a lazy shot on their part. People aren't supposed to see the specific link available. Now then, thanks to the miracles of Firefox, I can see the source code for the website, and the very first bulk of code I noticed included a Javascript line...

 

 

 

if(self.location.href.indexOf("/de/")!=-1 || self.location.href=="http://www.runescape.de") top.location.href="http://www.runescape.com/lang/de/";

   else top.location.href="http://www.runescape.com";

 

 

 

Now I may not be a coder, but I do know that when I turn off Javascript, then I can see the links just fine. So my guess is that this little bulk of code right here is the one that resets the link to Runescape.com (or .../lang/de/ for the German version) regardless of where you go (note that I pulled this code from the High Scores table). It probably goes along the lines of the following, where my rough translation of it is in the brackets.

 

 

 

if(self.location.href.indexOf("/de/")!=-1 || [if own link does does not equal (-1)...]

self.location.href=="http://www.runescape.de") [this]

top.location.href="http://www.runescape.com/lang/de/"; [or this]

   else top.location.href="http://www.runescape.com"; [make it this]

 

 

 

The javascript code is used to redirect the browser when you try to access pages within the website directly. It stops people going straight to the worlds list and other sections of the site. The entire concept is flawed because you can just shut off javascript to get around it. On top of that, the entire website is wrapped in frames to protect the idiots that don't know any better, so no matter what they browse to, they always see 'runescape.com' in the address bar, even though the actual URL is changing. Once again, it's flawed security because some people middle click links, opening them in new tabs, which drops the frames. They're playing the security through obscurity game and it just plain doesn't work.

 

 

 

They've mostly like pushed the login bug aside for exactly those reasons. They assume most people don't find the real urls, so they don't need to worry about double checking who is accessing the secure session. That alone tells me the Jagex web team is incompetent. It violates one of the basic rules of website security, YOU ALWAYS VALIDATE EVERYTHING. You clean user input, you check that the person sending it is who you think it is, you check it again before sending it to the database. Jagex doesn't do any of that.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept