Web Based GM Management

Lalolyen · #1 09-24-2007, 04:10 PM

The overall goal was a point of contact for the players... Whereas a player can create a petition, GM's can follow up, and players can follow up with that, only in that petition system.

Running that through the pre-built web interface can provide a lot of challenges, however I do not see it really as security but as a lack of scalability; whereas the pre-built-in interface confines you really to the machine that is running the world server. If someone like DR is running a world server, several zone servers and have an entirely separate network for web, and controlling the server, that really wouldn't work.

Allowing the program to run outside the built-in system provides more scalability imo =). But, its not hard for any developer to import/convert that php to perl for the interface =).

As far as security issues go, I cannot really see any more security risks than that of it running on the local host.

EQEMU has to have a username and password for the database, just like php/apache has to have it =S I'm not sure how there would be a greater threat running the program outside the eqemu web admin interface =S.

Lalolyen · #2 09-24-2007, 06:59 PM

Actually what I have so far in this system... Its really really nice =)...

Our GMs are currently using it and it features the following:

1. Fully functional GM login (from the account table).
2. Permissions are based upon status, in which you can CUSTOMIZE from the backend.
3. You specify what "groups" can see, read, modify, delete what, you specify what other groups can specify what you can, you specify what other groups can login, see players, see only GM's etc.
4. If you can see and modify a GM group, you can reset passwords, reset statuses, see characters (Working on editing characters atm) and much more.

This thing already has a ton of features and I'm only about 30% done with it... Its a pre-alpha right now, so if you want to help test it out, send me a pm, but I'm not publishing it just yet publically.

Also some security measures I took in this script to really drown any one whom might want to hack it =)...

I currently made one function that constantly checks for some values, and if any are true, the function runs a rutine that basically destroys (if any) session cookies (to log the user out), if they were logged in, it would reset their status to -2 (for banned), and would ban the IP address from the virtual host directory (in .htaccess).

So if you are an admin, make sure you aren't trying anything funny on the script, it has already locked me out once he he... but of course I was testing it too =P.

Basically here are a few things its looking for... Being the form only displays the values you can submit (like if your status is 100 and you are editing someone 80 as per defined by the admin) and if you submit the form for a higher value than what is allowed (like trying to submit a value of 150 in status) would kick in the HackerBurner function.

Attempts to use fake cookies to gain access would activate the function, and trying to access areas of the site you aren't supposed to be able to access.

I put an old Army Buddy tot he test the other day on a test box. I told him there was 20 dollars for him if he could break into the system without a ban within 10 mins...

It took him 14, however keep in mind hes a pro as well and would make VB or phpBB look like wet paper sacks when it comes to security lol =P.

So basically, the system has been locked down, it is functional... but there are a few other changes we will make before releasing it...

1. Characters and items will be editable from the web interface =).
2. Keys/Flags Skills, and AA's will also be manageable.
3. Full intergration of the petition system into this system.
4. Code Clean up... and make the HTML look half-way decent he he.

Lalolyen · #3 09-29-2007, 10:33 PM

I'm having a bit of problems with the hex for the inventory blob so thats kinda stalling the development here.

So far the GM management part, just managing GM's and players as far as status, and things that can be edited from the account table is working. The GM permissions are fully functional, however it was a severe headache to get working he he.

Lalolyen · #4 10-06-2007, 10:52 PM

Well... Here are the teases... So far the code works... however about 40% of the functions I want to work are working (server control functions).

All displays, permissions, account functions etc, WORK.

So far a GM Impossible by default install can:
* edit all other GMs (usernames, passwords, last character on, GM speed, status etc.
* edit all other users of the system.
* ban players and GM's.
* change permissions of ALL GM groups (see screenshots for all the groups).

WORKING TEMPLATE/STYLE SYSTEM that runs directly from the database (uber fast page loads he he)

Lalolyen · #5 10-06-2007, 10:58 PM

I have designed this system with a little thing I call hacker buster... Basically illegal page requests, without a valid cookie or attempts to post data that a user doesn't have permission to post, etc, will instantly set the status (which this system depends on) as -2 for banned, and will destroy their session cookies and log them out.

This by far doesn't make this system hack proof, but it sure helps, plus it keeps people "snooping" out =).

Lalolyen · #6 10-10-2007, 06:55 PM

JUST AN ANNOUNCEMENT!

No more of this!