View Single Post
Old 12-14-2004, 03:14 PM   #7
Traithe
Member
 
Join Date: Jan 2003
Name: Kite
Posts: 131
Traithe is on a distinguished road
Just an update -

A fellow developer was kind enough to point out some structuring flaws in our mysql routines that could theoretically allow for sql injection attacks. The good news is that, as far as I've been able to test, the rest of the code's implementation makes them difficult if not impossible to execute, and further, that on any sanely-configured mysql server (i.e. operating with a mysql username granted ONLY those privileges absolutely necessary to deal with the game's database [SELECT, INSERT, UPDATE, DELETE, ALTER, DROP, and maybe one or two others I'm forgetting] and with proper limited permission settings on the mysqld user itself) these things don't seem capable of actually inflicting any damage. That said, I've taken it under advisement and am in the process of completely restructuring the query system to remedy this issue, but given the heavy integration of the system into the MUD as a whole it is quite a bit of work.

I expect to have it all finished and committed to the public release probably by tomorrow morning. Until then, I wouldn't advise making many changes to any copies of the code you've already got, as you're strongly advised to download the fixed version I'll be making available and merging the two may be a bit of a pain.

Since our website requires you to be logged in with your game account in order to download the server, I've got everyone's email addresses on file (I'm glad I anticipated something like this, heh), so I'll be sending out an email when the updated server's available for download.

Thanks!
Traithe is offline   Reply With Quote