Mysidia Adoptables v1.2.3[Security Release]

[Hall of Famer]

It is finally time for another security release of Mys v1.2.x series, after we've been devoting to the development of Mys v1.3.0. Since Mys v1.3.0 will still take a while to be available for public, I feel necessary to release Mys v1.2.3 to fix some security issues especially after a user called Tony brought it up to me. So technically, Mys v1.2.3 is the first true definition of a security release, the new features from this security release are:

1. Secure hash functions: The new user passwords are encrypted with 128 characters hash instead of 32 characters, joined with pepper(hard-coded) and salt(user-defined). This pretty much makes your site unhackable against most hackers. Cant do anything about professionals who break into government sites easily though.
2. Password Encryption Wizard: Since the new password hash is quite different from old md5 method used, you will need to run user password encryption wizard to update your passwords after installing/updating Mys v1.2.3. You wont be able to login without doing this.
3. Script Optimization: We manage to fix many script flaws in old Rusnak Adoptables script as I took over from BMR, good examples are while loop running only once, and mysql_num_row usage.
4. Registration Questions: Starting from Mys v1.2.3 admins can set registration questions to prevent bots from registering. We planned to use recaptcha before, but it is too complicated to install as it requires every user to manually modify her script files after going to recaptcha's official site to get the so-called Key.
5. Random Levelup Money: In Mys v1.1.x, users can gain random money from a range of minimum and maximum values for clicking pets. This feature was somehow removed from Mys v1.2.0 to v1.2.2, but it is now back again. The correct format is "minimum" , "maximum", and a random number will be generated from these two.
6. Miscellaneous Bug Fixes: We also fix a few bugs present in Mys v1.2.2, an infamous example is the donation glitch, from which users can donate negative amount to steal money. This is not possible now, as negative number will be automatically translated into their corresponding absolute value.


Installation Guide:
1. Use ftp to Upload the folder "installation" to your preferred directory, and change the name from "installation" to whatever you like.
2. Change the CMD of folder "picuploads" to 777, together with its subfolders, this is required to enable user uploading images.
3. Access the installer script at "http://yoursitename.com/install/install.php", follow the instructions and proceed.
4. Important: After installation is completed, run the script admin password encryption wizard at "http://yoursitename.com/adminencrypt.php" to encrypt your password before logging in.

Note: The value salt code can be generated from a website called: http://strongpasswordgenerator.com/, it can be of any length. Make sure to delete the file adminencrypt.php after running this script, or you will have to reset your password manually.


Upgrade Guide:
1. Use ftp to Upload every file within the folder "upgrade" to your Mys directory, choose yes when it asks you to rewrite existing files.
2. Access the upgrader script at "http://yoursitename.com/install/upgrade.php", follow the instructions and proceed.
3. Important: After Upgrade is completed, run the script User password encryption wizard at "http://yoursitename.com/userencrypt.php" to encrypt your users' passwords.

Note:The size of column "password" in table prefix.users is now varchar(200) instead of carchar(100), its recommended for you to doublecheck this before updating user passwords. Also removing userencrypt.php after running this script is recommended. To change the salt value, just edit the upgrade.php itself and find the corresponding default value. Replace it with whatever you want.


I am sorry Mysidia Adoptables have not been productive since the beginning of summer, after the release of Mys v1.2.2. The development of Mys v1.3.0 is still our top priority, but there is a chance that a few security releases for Mys v1.2.x series will be available before official release of Mys v1.3.0. I will let you guys/gals know whenever possible.

To download Mysidia Adoptables v1.2.3, please go to the following links below. I've uploaded both a .rar and .zip format file.

Mysidia Adoptables version 1.2.3, rar file:
http://www.megaupload.com/?d=KR3U1YXO
Mysidia Adoptables version 1.2.3, zip file:
http://www.megaupload.com/?d=JCK0NJSD

Hall of Famer

 

[ipengu]

The htaccess file in both folders is incorrect. You saved it as 'htaccess.txt' should be '.htaccess'

 

[Hall of Famer]

I see, thanks for bringing it up to me. It was another flaw in the old Rusnak Adoptables that we never paid attention to fixing, I am sorry. The file has been reuploaded, enjoy!

 

[ipengu]

Yea just noticed it was not fixed in even 1.2.2, Guess I never noticed since I uploaded my own anyways.

 

[Hall of Famer]

Yea just noticed it was not fixed in even 1.2.2, Guess I never noticed since I uploaded my own anyways.

Well yeah, its hard to keep track with all script flaws made by BMR, we fix it whenever we find anything. I still hold BMR to high regard when it comes to PHP coding though, I am assuming he made the original script at a time when he was still learning PHP. The first release of RA v1.0.0 was in like late 2008 or early 2009, so it makes sense.

So if you spot more issues like this one, notice me quickly so I will fix them in Mys v1.2.4 and future releases. We plan to resolve all flaws with Mys v1.3.0 stable release, or at least most.

 

[ipengu]

No one is perfect and it sometimes takes an outside look to notice something. I'll let you know of anything I find gonna take me a few hours to upgrade script

 

[Hall of Famer]

umm a few hours? I am assuming that you have modified your scripts thoroughly since you got it in the first place? If so, I wish you good luck. There are two hash functions that I defined in functions.php. passencr($username, $password) is used to encrypt new user passwords, while updatepass($username, $password) is for encrypting existing user passwords. The difference is that the latter receives a string that was already MD5'd, as you may have noticed from Mys v1.2.2.

 

[ipengu]

I only had 2 files that were in upgrade folder that I had not done mods to. lol

Using the best feature ever to speed up a little bit. Compare two files using Notepad++

 

[Tony]

Outstanding password encryption! This is exactly what I wanted to see. I'm very proud of you and your staff for taking it upon yourselves to fix bugs and actually release patches and content updates!

 

[Hall of Famer]

Thanks a lot Tony. The difficulty here is to update user password to more secured version without forcing each of them to have to change their password after upgrading to Mys v1.2.3. I am glad I eventually found a way to do that, simply further encrypt user password based on what it already is with md5 string.

In recent fute we will try to apply a better cookie saving approach, and perhaps un-register $Globals if we find another way to easily load database info such as user's money. We look to fix all potential security issues prior to an official Mys v1.3.0 release.

 

[Nemesis]

curious as to how many downloads this script has received. do you have this data for all versions?

 

[Hall of Famer]

umm this is what I got from megaupload:

Version 1.2.3: 11 Downloads(8 rar downloads and 3 zip downloads)
Version 1.2.2: 576 Downloads
Version 1.2.1: 176 Downloads(92 rar downloads and 84 zip downloads)
Version 1.2.0: 153 Downloads(41 rar downloads and 112 zip downloads)
Version 1.1.4: 124 Downloads(46 rar downloads and 78 zip downloads)
Version 1.1.3: 88 Downloads
Version 1.1.2: 38 Downloads
Version 1.1.1: 63 Downloads

The version 1.2.3 was just released yesterday, so the stats apparently aint quite useful. The number for Mys v1.2.2 is much higher due to the fact that it has been more than 4 months until Mys v1.2.3 came out(so for the past 4 months, you were stuck with Mys v1.2.2). I believe some people re-downloaded the files before, it is impossible to judge how popular the script is based on stats provided by Megaupload.

 

[Nemesis]

yeah, thanks for info, was just trying to get a feel for how popular the script was and how many are using it for their sites.

 

[PTGigi]

Ooo fancy O: I haven't been here in awhile. Nice to see cool stuffs happening :3 Welp, back to code helping and stalking this place...because stalking threads is fun :3

Oh and a TINY suggestion not really worthy of a thread. A link to the owner's profile from the lvl-up page so peeps can click more pets easily. Simple, easy to add, feel like it should be present already, but I find I have to add it whenever I use the script. Yep. :3

Anyway good luck! *poofs off*

 

[Tequila]

Hoffie, we'll have to check the login.php page again. :/ I'm not able to login from the page itself.

 

[Hall of Famer]

Well Nyxi, run the adminencrypt.php after upgrading from Mys v1.2.2, this should fix your problem. Or if you dont want to upgrade this way, just go to forgotpass.php and have a new password email sent to your email address.

 

[Nemesis]

that made my laugh lol. HOF your post was to long no one read it

 

[Tequila]

Ah, my problem is that there is no adminencrypt in the upgrade... Hm... Will do that now.

* Edit: Still no where to put information on how to login to the site on the login page, http://crystalhollow.com/login.php

 

[Hall of Famer]

Well adminencrypt.php should be inside the upgrade folder, upload it to your server and run it to solve your problem.

I see, the way login form is designed is the cause of your problem. As you may have seen from elements or simple theme, the login form is located at the sidebar. The center space is left blank for some reason, just look at the screenshots below and you will understand what I mean.

Elements:

Simple:

It seems that your site does not have sidebar, and therefore the login will not display. I will see if there is a way to move login form to the center instead of its original location at sidebar, this is the one and only way to fix your issue.

Edit: I reuploaded the Mys v1.2.3 files after fixing levelup.php glitch, since I believe this one is not a minor issue we can let pass till Mys v1.2.4. I am sorry for the trouble, guys and gals, how I hate typos...

 

[Tequila]

Hoffie, I managed it once with the old version (in http://mysidiaadoptables.com/forum/showthread.php?t=2158&highlight=login) but can't use the same trick here with the new version.