Giacom
commented
10 years ago I'm going to guess it was href exploits.
Closed utahclock closed 10 years ago
Giacom
commented
10 years ago I'm going to guess it was href exploits.
GrayRachnid
commented
10 years ago Let me just add a bit more information since I was watching him the whole time.
He was making things and they were coming out of the circuit imprinter without resources, he was, however deconstructing items and earning research.(And a correction to the first post, he did not spawn resources)
He was making super manipulators and what not and at some points I saw an energy relay come out of the circuit imprinter.
Guns were coming out without lockboxes and he was able to make multiple items withint 1 second (2 bags of holding and 3 tp crystals came out of that thing in one run).
I then spawned myself and went invis to try to see what he's doing on the console, I saw the following.
He was on the protolathe menu with no glass, and just 30k cm^3 of metal. Suddently, the creating circuit page came up and shit started coming out of the circuit imprinter, after that the page loaded the circuit imprinter menu with 0 glass and 0 acid.
GrayRachnid
commented
10 years ago After further investigation, I managed to figure out how to do it.
The whole bug is accessed through the fact that the client stores cache files, this could probably be fixed by saving cache files on the server side, but I'm not one to know if that has any downsides.
Giacom
commented
10 years ago No, this problem isn't exclusive to research. It is well known players can spoof Topic() calls and so we never consider it reliable and the best practice is to always check if the player is allowed to do a certain action in Topic; never trust the fact that since the player can click on a button/link, he must be able to perform that action.
For example:
/obj/machinery/bomb/Topic(href, href_list)
if(href_list["explode"])
explode()/obj/machinery/bomb/Topic(href, href_list)
if(href_list["explode"])
// This will stop people from spoofing Topic() to make the bomb explode without arming it
// They can spoof it but it would result in the same amount of effort required to get the
// bomb to explode in the first place.
if(armed)
explode()
theOperand
commented
10 years ago How exactly is it exploited through the cache files, then? AFAIK BYOND handles literally everything serverside, changing the cache files won't allow random shit to come out of the imprinter.
Alek2ander
commented
10 years ago Protolathe build menu performs material checks. Circuit imprinter doesn't. On an related note, if a circuit design will end up without a sacid requirement, it will be buildable in a lathe, since materials are the only thing being checked there. Lockboxes are only created when using the protolathe "build" href, so CI spawns stuff without them.
utahclock
commented
10 years ago Fixed with #2697
Razharas
commented
10 years ago Ok
Hi . All I wasnt on when this happened but in our server (yogstation) we are running the jan. 15th version of the code. and Someone came on and was able to exploit research machines (pulling materials out of thin air, IE. Uranium.) maxing research in under 3 mins (with out deconstructing stuff) and was somehow able to access prolathe from circuit imprinter.
We are not sure how this person is doing it but they are able to make advanced energy guns and submachine guns without lockboxes and etc.