Game Zone hacked?

Woke up this morning to find my site inaccessible. Seems someone found a way to hack my gamezone mod? Please review the image and notice the last entry in the DB table 'gz_activity' Would love to know how they pulled it off. Might be a vulnerability in the mod itself...

It looks like an SQL injection attack.  I am not familiar with game zone, are their any input fields a user types into?

Judging by the UID it was a guest passing through. I had the permissions set to members and guests. I have changed it to members only until i can figure out how they did it....

 I am looking now.....

You may remember the LizaMoon injection attacks that affected millions of web sites around the world.

It may have been done by passing it in the URL of the site as well; they found the vulnerable script and pass the URL along in the browser address bar.

You need to contact the gamezone developer so they can start searching through the code for where the vulnerability lies.

I'll have to give that a whirl and see if it's possible. I have sent a message to webmediaservices. We are waiting for his response. Thanks for the help....

Flash game sites get hacked all the time, but most of the time it's not any type of sql injection attack.  Your server probably isn't compromised.  More than likely, someone used a program called 'cheat engine' to alter the data that is submitted to the server.  Older flash games, commonly referred to as V2 games, submit data to the server when a game is over, and the submission is for the most part, handled client side, because the game plays in the browser, and all the game data is held on the client machine until it is sent to the server.  Well, this program called 'Cheat Engine' was designed solely for the purpose of pausing the game score submission process on the client, so that the game parameters can be altered before being sent to the server.  This would be my first guess on how this happened.

There is no technical solution to stop this as far as all the old V2 games are concerned, and Game Zone has about 4,000 of this type game.  As long as there are sites using V2 games, and as long as there is a program called Cheat Engine, people will be able to hack the score submission process.   The only thing you can do, is take whatever steps necessary to keep scumbags off your site.

The 'Cheat Engine' problem was solved by the introduction of second generation games called V32 games.  This type of game requires a bit of handshaking to take take place between client and server, once the score submission process is initiated by the client.  If the process is interrupted by Cheat Engine, it times out and the process ends without being submitted.,,, unlike V2 game score submission which has no handshaking and has no time limits on score submission.

Game Zone didn't support V32 games originally, but I added the capability a few years ago, and shared it with the developer. The only way to be certain Game Zone is not vulnerable to Cheat Engine is to delete all the V2 games, and use only V32 games.  Most of the 4000 games that ship with game zone are crap anyway, and the decent ones will have a V32 equivalent.

You have the time stamp right there.  Have your host look at the logs and see how it was done... 

Even using firebug you can alter games and their inputs. Used to do it on a FB game.

Sometimes you can just pass the data along in the URL; depends on the script

gamezone.php?page=playgame&game=557

At what point does the game activity gets added to the database?

gamezone.php?page=playgame&game=www.mysite.com

Would it enter www.mysite.com as a game activity before kicking out the no game found?  What other URLs are there?  What point in the code does it enter the game activity?  Is the data sanitised first?  Can only numeric values for the game ID be passed?  Evidently the database field for the game ID is accepting characters as well for the type.

Change the field type to INT problem solved i guess...  ?

or tinyint..

edit:  change all but the date for that matter.

 RE:

 A good question for webmedia would be why the gameid field is type varchar 200, instead of INT. 

He has already contacted me and I am allowing him into the server so he can address it. Was surprised by his quick response. I'll let you know what the final resolution was. Thanks for everyone's input

Any updates on this?

Have not heard back. Sent him the access. We need to give him a little time...... I'll bug him again in a few days if I haven't heard anything....

Ok, he replaced one file in my system and has also given me instructions to change the field type to INT. If you have game zone, send him a message and I'm sure he'll provide the fix for you as well.

He did say he agreed that the field type should have been INT to begin with. Since it's a numerical field, it should not be a problem to just change it on the fly. I wouldn't do it without contacting him first. I think the file he changed has something to do with it.

Now, if he would just get rid of all that damn inline styling so a person could make gamezone styling follow Dolphin template styling.

 why can't you just provide the fix here and save us the running around trying to get hold of developer ?!

Because it's his mod, not mine.....

 I'm not asking for the mod; which I also have ... but the fix.

Actually, the fix should be rolled back into the module so that all one has to do is download the module.  There should also be included upgrade instructions and the sql file to run to upgrade the database, database_upgrade.php, that can just be uploaded to the site and ran to change the database for those who can not, or should not, be doing direct queries on their database.

I have no idea if fix is included into download a market or not ...

Have you tried contacting the vendor?

Edit: Checking the market entry, it was last updated last month. I'm sure they'll release the fix shortly, but for now, I recommend contacting the vendor directly.

 Not about the fix no, but I have tried a times before with other things and never got reply back ...

 Really? He got back to me in less than 2 hours.......... This is a mod of his that has been around for some time now. Who else do you know that will support a mod that's already years old? only about 10% of the developers here would. I used the Boonex messenger and he replied same day....

maybe you caught him on good day?

I will shoot him a message :)

Bump for a couple of reasons:

1. This may be the same issue with a different mod as Denre's thread   http://www.boonex.com/forums/#topic/SQL-Injections-in-Dolphin-Play-Multiplayer-Gamez.htm
2. I emailed webmediaservices a few times to see if he made this fix when he came onto my site to do some work but its been months with no answer from him (I'm not sure how to tell if the fix has been applied or not)
3. If anyone knows and can share the fix so we can make sure its implemented, it would be greatly appreciated.

Thx

 This is why I removed Game zone and Video Zone completely. more than 7 months with no reply..

 RE

 I'm not convinced that a vulnerability exists.  The only bit of evidence produced in that thread was an entry in an error log that was indicative of an unsuccessful sql injection attempt.  I still haven't seen any evidence presented that outlines exactly how to formulate a successful sql injection, or any evidence that any site has been compromised. 

Fact is that the script does not check the input, which is a potential security risk.

Fact also is that the syntax of the executed query can be alterd.

These two facts makes it a matter of time for someone to formulate a successful attack. Maybe you want to wait for that, I don't.

 RE

Usually when an exploit is discovered, it is clearly defined how a SUCCESSFUL sql injection is accomplished.  If you are that certain that it is possible, then you should take the time to prove your case, and show the developer  exactly how it's done.

That's how vulnerabilities get fixed in a hurry. Someone tells the world how to carry out a successful attack, and puts the developer(s) under the gun to crank out a fix. 

I'm going to lock this and push all replies over to here: http://www.boonex.com/forums/topic/SQL-Injections-in-Dolphin-Play-Multiplayer-Gamez.htm

But in short, both products were hidden because the vendor has been unresponsive. This isn't because of a security issue (that has yet to be totally proven), but because it's standard policy to remove products from MIA vendors.

 Pretty good lock eh? Maybe we should report this bug to Boonex and see how long they take to respond. If it takes more than a few days, then we should remove all their products from the market.

I unlocked it shortly after to please the Almighty Houston. And I contacted Webmediaserices last month, and he hasn't been online in about a month. No answer. He said he would release an update, and to date hasn't.

If a developer has an outstanding issue, and becomes MIA for a month, they shouldn't have products to sell in the market. The market is for active developers that can support and maintain their products.

Oh for craps sake, i give up.