Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#60 online scroe table trivial to spoof

open
nobody
None
3
2004-11-08
2004-11-07
Anonymous
No

One only has to duplicate the url and change the score etc and feed it through wget or browser (sorry about the 1st 2 score positions i figured you could remove them easily anyhow).

Suggest making the client do an md5sum of the data sent and send it along in the url, then have the server do an md5sum in the exact same way as the client does and check it against the md5sum sent by the client.

Discussion

  • Mike Anderson
    Mike Anderson
    2004-11-08

    Logged In: YES
    user_id=6450

    Well spotted ;-)

    Yep, md5sum sounds like a good solution. Just need to figure
    out how to do it in PHP so it matches the Java result.

    Low priority right now - the scores will probably all need a
    zero reset once a v1.0 comes out in any case, at which point
    we should have some decent score security. Although we'll
    never be entirely safe from client-side hacks.

     
  • Mike Anderson
    Mike Anderson
    2004-11-08

    • priority: 5 --> 3
     
  • Tom Demuyt
    Tom Demuyt
    2006-05-21

    Logged In: YES
    user_id=95445

    Hi,

    Roguelikes work with an honour code,
    I will not make this a priority.

    T.