Open

#465 [0.91.0.6XX] Cheeky little hacker vs gridland floor settings

area: networkarea: server
GameBugby @Ecconia5 months ago

Clients have the ability to change literally every ExtraData config of the server. And further, they can register false entries - if for example extra data for display configuration with 3 pegs do not exist yet, it can be registered with the wrong data type. The cause of this is that until the SUCC file for that extra data is deleted - it is not possible to use the 3 peg displays - as the server will ignore requests and possibly throw exceptions.

In my case, I was able to edit the world floor for everyone connected to the server (server owners gonna love my party trick!) - While I have a way to “undo” my change - other malicious users won’t have that…

Issue is related to my request to restrict the change of simulation.

Technical request:

  • Whitelist/Hardcode which extra-data may exist and which type it must have.
  • Add extra field for extra data, which makes it read-only for clients.

Gain:

  • Safe against haxors.
  • Ability for server owners to lock extra data to read only (needed for floor, optional for simulation and displays)

1 comments
@JimmyDeveloper5 months ago

Good thoughts. ExtraData is a bit of a messy system at the moment, it needs cleanup.