Questions

[gjac1]

There are several exploits that members have found on how to exploit with the script.

1. They have discovered that all they have to do is change the number in the adopt link (from adopt.php?id=xx) as a shortcut to getting any adoptable they want. They can even change this in this link "/doadopt.php?name=&id=28&promocode=&Submit=Adopt+Me " to get the different adoptables.

2. Refreshing the adoption page by either pressing the refresh button or ctrl+F5 to mass adopt as many as they want....

My suggestions are, some kind of mod (maybe a javascript mod) that hides the adoption link in the the status bar and the actual address bar so that they just see adopt.php and nothing to do with the id number. I have tried several different javascript mods to hide the the links from appearing, but they dont work with the latest versions of Firefox and IE.

And secondly some kind of a check that means after 1 adoptable has been adopted, the member is either taken directly to their profile page or if they do decide to refresh the page, the refresh sends them back to the main adoption page.

[12345]

Is this true? Omg what a retards people?

[eaglelegend]

Thank you very much and most of all, to your users for noticing that - you know userally i the first to notice - I remember when I used to test some other sites by doing that - it only got me banned, but they didnt get the point that im trying to help them - oh well, their own problem not mine!

[gjac1]

I got the PM telling me about this yesterday, i tried to create a solution to the problem myself and then i could post it here along with the exploit...but i can only seem to solve half the problem, and thats only if people are not using the latest web browsers..

What this also means is, if anyone is using the shop mod on the old script, it is now useless...unless a fix can also be applied to the old script

[BMR777]

Ok, I've looked into this on my test install.

Quote:

1. They have discovered that all they have to do is change the number in the adopt link (from adopt.php?id=xx) as a shortcut to getting any adoptable they want. They can even change this in this link "/doadopt.php?name=&id=28&promocode=&Submit=Adopt+Me " to get the different adoptables.

Well, yes if they know the ID of the adoptable they want to adopt they can simply change the number to adopt it. They cannot, however, use this method to adopt adoptables who have conditions attached to them that the user does not meet. For instance, if an adoptable can only be adopted 10 times, and this is already the case, the user cannot use this method to get the adoptable again, instead they get an "Adoption Denied" error message. The same is true for Promo Coded adoptables. This will only work if the user knows the valid promo code. Unless your install is also ignoring the conditions and allowing users who do not meet the adoption conditions to adopt pets then there is no exploit and the script is working as it should.

Quote:

2. Refreshing the adoption page by either pressing the refresh button or ctrl+F5 to mass adopt as many as they want....

Well, yes this is true, but it also is the same as the user simply going back, clicking adopt, clicking on the pet, renaming it, etc. If you want to limit this behavior, simply set conditions on the adoptable so that the user can only have so many of that type of adoptable. If there are conditions on the adoptable, they will be honored and the user will not be able to adopt more of the adoptable.

I hope this clears some things up for people. :)

Brandon

[eaglelegend]

Thanks for that Brandon - for clearing that up!

[gjac1]

I changed the adopt.php page to include this

PHP Code:

$query = "SELECT * FROM ".$prefix."adoptables ORDER BY RAND() LIMIT 1"; 


from this topic :

http://www.rusnakweb.com/forum/showthread.php?tid=914

and cheating members know what they are getting by the ID number....is there no way to hide this link in the status bar and address bar ??

And as for the ctrl+F5 exploit, thats not the same as going through the adoption process countless time to mass adopt, this is simply just keeping 1 finger on the ctrl button and then tapping F5 , limiting the number a member can adopt is not really possible when you are offering supposedly "random" adoptables that can hatch from 1 egg, members are going to want to mass adopt to try and get them all...i just dont want them to "shortcut" mass adopt seeing as that will just give them 1 of the exact same adoptable seeing as at that stage, its not random anymore...

[BMR777]

You didn't mention that you modified the script... :P

The normal version of this script that is unmodified works as it should. The fact that what works under normal operation doesn't work with the custom modifications you've made is not by any means an exploit, simply a result of your custom mod not working with the script the way it was designed to work under standard conditions.

No easy solution comes to the top of my head for removing the ID from the address bar. This is not something I will include in a future release as under normal operation this is not an issue.

[gjac1]

Even if it was not modded, the easy way to mass adopt is still there, and it is an exploit...the mod i used isnt exactly a huge mod, it just stops all of the available adoptables from being shown and instead shows 1 at random...

Hundreds can be adopted by just pressing 1 button in about a minute...on both scripts with or without mods...

I have been looking at other adoptable sites that where not created by people using this script, and they all somehow manage to hide the link to there adoption system, so this is a standard thing to protect against "cheating" , and i think i have figured out how they do it, by using an external website call whoisamongstus, so i will use that :)

[mugwumpr]

Forgive my ignorance, but I don't understand how this is "cheating". How do they hurt anyone but themselves?