PolarisSS13 / Polaris

Polaris - A version of Spacestation13, forked from Baystation12.
https://ss13polaris.com/
Other
71 stars 305 forks source link

Ban Exploit: SQL banning offline players ignores IP and Computer ID #2629

Open SpadesNeil opened 8 years ago

SpadesNeil commented 8 years ago

Brief description of the issue

This is exploited maliciously by griefers to ban evade.

What you expected to happen

When you ban an offline player whose mob is SSD, for it to grab the lastknownIP and computerID vars, and include them in the ban.

What actually happened

Only the ckey is banned.

Steps to reproduce

  1. Attempt to ban someone who disconnects before you can ban them, leaving their mob SSD.
  2. Check the unban panel.

    Additional info:

SpadesNeil commented 7 years ago

I feel like @Leshana fixed this in Vorestation but I am not sure. Maybe @Arokha fixed it? Maybe no one fixed it and I am actually crazy.

Neerti commented 7 years ago

Porting and finishing #2644 would probably put a stop to this for good, if it's still occurring.

skull132 commented 7 years ago

@SpadesNeil It's an easy fix, I did it on Aurora years ago.

There's a query in modules/admin/DB ban/functions.dm on line ~40, which checks if a player is actually logged on the database. It does so by select the id of said player. Just modify that query to also pull the computerid and ip. And shove that into the if(query.NextRow()) clause, so it replaces a missing CID/IP with the query result.

Original:

    var/DBQuery/query = dbcon.NewQuery("SELECT id FROM erro_player WHERE ckey = '[ckey]'")
    query.Execute()
    var/validckey = 0
    if(query.NextRow())
        validckey = 1
    if(!validckey)
        if(!banned_mob || (banned_mob && !IsGuestKey(banned_mob.key)))
            message_admins("<font color='red'>[key_name_admin(usr)] attempted to ban [ckey], but [ckey] has not been seen yet. Please only ban actual players.</font>",1)
            return

Fixed version:

    var/DBQuery/query = dbcon.NewQuery("SELECT id, computerid, ip FROM erro_player WHERE ckey = '[ckey]'")
    query.Execute()
    var/validckey = 0
    if(query.NextRow())
        validckey = 1
        // Stop relying on manual entry, use the database.
        if (!computerid)
            computerid = query.item[2]
        if (!ip)
            ip = query.item[3]
    if(!validckey)
        if(!banned_mob || (banned_mob && !IsGuestKey(banned_mob.key)))
            message_admins("<font color='red'>[key_name_admin(usr)] attempted to ban [ckey], but [ckey] has not been seen yet. Please only ban actual players.</font>",1)
            return