Rabbitoshi / Points Mod Exploit

[MWE001]

Hey I was curious if the exploit ( kind of ??) the I found out my version I ma using has is fixed in the 3.13 that you are using for your premod.

I am more than sure the issue I just found was found long ago. What I found is while at the pet store to purchase consumable goods for our pets, one can literally click the "Perform these purchases" button and not make any choices at all and instead of taking points/gold or whatever you set yours as, away from us, it actually increases by 1 point per click of the mouse on the button!

So to break it down in order:

1: I am viewing my Pet. 2: I click Pet Shop Button 3: Once I enter Pet Shop I make NO choices I leave everything as is. 4: I simply start clicking make purchases and watch the points add up 1 at a time!

[vendethiel]

Hi Ray,

thanks for the heads up, that indeed does sound annoying. I need to reinstall a board with my docker and see how it behaves.

[MWE001]

Not a problem at all. I did find one other one as well that was giving me "Free" points and for the life of me I can not recall where it was. I am looking as we speak. If I find it I will let you know. If not, it must have been a 1 off board error I suppose.

And I just found it! It is in the vault!

If I enter the Vault and enter the stock exchange, I looked at how many points I had, we'll say 16,900 for this report, I made NO choices of any stocks at all and simply clicked the submit button 5 times and then I magically had 16,905 points.

Oh and another! The Shops as well. The Standard forum shop, Admin shop as well as all the addon shops. If you make no selection of items and simply submit, your points increase by 1 per click of submit.

So by making no choices at all in AD&R when it comes to making purchases anywhere where purchases can be made, we can exploit it and get free gold/points or whatever one chooses to call their currency.

[vendethiel]

If I enter the Vault and enter the stock exchange, I looked at how many points I had, we'll say 16,900 for this report, I made NO choices of any stocks at all and simply clicked the submit button 5 times and then I magically had 16,905 points.

I've never been a big fan of the Vault mod, but it was part of the ShadowTek premod so I left it as-is. You can see I never touched that file because it has file endings problem (the red ^M you see on github are supposed to be newlines, but something broke when moving code from linux to windows or the opposite as it sometimes does).

Oh and another! The Shops as well. The Standard forum shop, Admin shop as well as all the addon shops. If you make no selection of items and simply submit, your points increase by 1 per click of submit.

I'm really surprised no one caught this one before. I'll try to take a look.

Are you testing on your own local board your reinstalled recently, or are you able to use ezarena at all with a translator?

I need to figure out a list of all the mods the ShadowTek premod had, although his forum died many years ago, so I can try and find a language pack for all these mods, and rebuild the language files from that. It'll probably also require going through all the mod installation instructions if they just add some simple keys to adr_main_lang.php

Talking about which, do you still have the ShadowTek 0.3.4 ADR Premod ZIP somewhere? I concur this should have the main language files in english.

[MWE001]

I'm testing on the stock phpBB 2.0.23 and AD&R mods that I have.

I may be able to give your premod a try. Can't hurt to try :-) And I do infact have ShadowTek's premod. I have every single mod he ever made available on his website including the premod.

[MWE001]

Out of curiosity, what version of php does your premod run on? As I pointed out over at the other website now a days I pretty much just want a very slim install to hack and slash a few beasts and have a little fun while my grand son is sleeping and that is about it. However, I do have 2 days a week he is not here and I have a little down time that I can do some installing and having a go at your premod. And I know for a fact I do have ShadowTek's Premod as I pointed out, just having a issue locating it. I did find a premod but it isn't his.

[vendethiel]

It should be fine on PHP 5, but if you need me to update it to PHP 7i can do it. I just wish i had english lang do it would be more interesting to you

[MWE001]

php5 is perfect for me since that is already what I am currently using for my little adventures.

Is it ShadowTek's premod for certain taht you need for the English files? Or just all the mods in general that you used? I literally have stacks of AD&R mods plus piles of phpBB 2 mods galore.

And on a side note as far as the original Points thing goes that I had posted this trouble for, years back I did a website for php class in school and I had to reject a form or anything else if a submit button was clicked an d it would send back an error saying please try again or something like that. I am not certain how simple it would be to fix this issue here. I know for a fact this code was written a good 4 or 5 years before I was in school. But then again I have forgotten about 95% of what I ever learned.

[MWE001]

https://drive.google.com/drive/folders/1cvDu9E9pAB0QGhB4Ij6vGB_1oO0KzXY8?usp=sharing

Here you go. These are the only 2 complete Premods that I can find right at the moment. I'm not sure if either one is ShadowTek's or not. I know for certain I had it at one point in time but man so many days and nights have passed since.

[vendethiel]

Is it ShadowTek's premod for certain taht you need for the English files? Or just all the mods in general that you used? I literally have stacks of AD&R mods plus piles of phpBB 2 mods galore.

the issue is, I need to start off shadowtek’s premod, apply all language changes from adr 0.3.4 to 0.4.5, apply all the language changes from smaller mods, find the original English files for all the bigger mods, and also add translation for all the smaller « mods » I made myself. That’s why it’sa lot of work I’ve never tackled yet.

at the end of that, I’ll probably write a small PHP program to do a diff and find any missing keys that I forgot

[MWE001]

Ahh nice! Yeah that is a load of work and one that is not fun or exciting to do.

I can take and upload everything I have. Maybe I have some stuff you don't? Not sure. I have been trying real hard to get rid of doubles and triples. I am getting there but it is hard. Let me know if that interests you and I will get it all uploaded for you and get you a link.

[MWE001]

Hey just a quick update on the issue I raised here.

Upon further review, the issue is not AD&R or Rabbitoshi at all giving away free points. It is the points system 2.1.1. I did a quick clean install of phpBB 2.0.23 and AD&R 0.3.4 and Rabbitoshi 2.1.0 and Cashmod 2.2.1 instead of the points system and I can not exploit any free points from any where on the board. Nothing in the forums, rabbitoshi shops, Forum shops for AD&R nor the Vault / Stock Exchange.

[vendethiel]

I remember back in the days there were those two mods competing and everyone had their favorite. I think the cash mod had the ability to create several types of money, but AD&R only uses the user_points field. It’d be kind of cool to support several ones, but also a huge undertaking considering how the points are used everywhere

[psychobunny]

Hi everyone just wanted to throw my two points (lol) in.

This vuln actually was a thing from day one so we preferred cash mod over points mod (not endorsing one over the other)

Unfortunately a lot of mods were built really early so it makes it complicated.

I’m really glad to see people working on this stuff. Honestly, if there’s real interest, I’d be up for getting back into this though I’m more keen on porting things to node.js

Anyway. I should just say be wary but of course it’s not real money but the points mod has so much issues with ADR.

[vendethiel]

Hi psychobunny (not sure how you did end up here)! Long time no see outside of a few interactions on the fb adr group and the nodebb adr thread. Hope you’re doing alright.

I’d say the most important thing is not technical (though if you’ve checked it out, I’ve started refactoring some ADR code into the functionsrefactor*.php files) but really the lack of english.

since AD&R is really self-contained, it’s pretty easy to install this as an « AD&R premod » and I’ve done so with Integramod and Icy Phoenix (the former has PCP which complicates everything and Icy has a very different template builtin, so it looked poor)

[psychobunny]

I’ve been paying attention. You have been doing a sick job so thank you for working on this

[psychobunny]

Haha I just realized it may not translate right. I mean a good job an amazing job. I hope you understand

Anyway I’d love to revitalize this one day, given a good team to help

I have a really cool design on figma to share if people are interested

[MWE001]

Holy cow! OzzieOne and Psychbunny all in one week? lol That is crazy right there. :-) Nice to bump into awesome mod authors from days gone by. I still love calling the big mouth rabbit into a battle even if it is on a .localhost server now a days due to old php and host wont allow old php for good reasons.

As far as the regular issue goes that I posted about, yeah it 100% is points system. I have both old test boards going and ran both until I was blue in the face and cash mod is solid still. I had a profile error I had to fix (took me 2 whole minutes) but otherwise solid. But the points system I was able to milk free points put of it everywhere there is a submit button. So I retract my wording of Rabbitoshi from the title of the issue here and make it Points System instead.

[MWE001]

Hey Ven, I found ShadowTek's Premod! I knew I had it. Let me know your preferred method to get it to you, DropBox, Google Drive etc and I can make it happen.

[vendethiel]

Drive is fine. The way to go about this, I think, is:

• take the shadowtek english files
• take all the mods I’ve added since then
• for each mod, add any new file they add
• for each mod, check their modfile to see if they add lang keys anywhere else
• take the AD&R update instructions and update lang files
• do a diff on all the files to see if I’ve missed something
• do a diff on a the lang keys

and that should be a good start

[MWE001]

I think I shared the link with you before to the drive folder but Ill give it again. This is typically where I share all phpBB related materials.

https://drive.google.com/drive/folders/1cvDu9E9pAB0QGhB4Ij6vGB_1oO0KzXY8?usp=sharing

What you will find in there are 3 files. the cgcxxxx what ever file that is is actually a premod that I got from the old emerald chaos website. The one that just says premod.zip, I am not real sure what premod that is. It came from OzzieOne or ShadowTek one of the two. I am not real sure and not sure of it's quality (if the files are unadulterated or not).

The one that says install_premod is 100% without a doubt a legitimate unadulterated ShadowTek Premod. I believe it is a very early version (??) . I'll not elaborate any further on that file. I'll just let you look at it for yourself. I was quite in shock when I saw it and what all had to be done to use., it.

In that very same Drive folder, if I have room on my drive, I am going to start uploading ALL of everything I have AD&R and Rabbitoshi Related into categories if I can pull it off. I'll keep you posted. All have the English files intact as well.

[vendethiel]

cgphpbb is a whole phpBB2 premod. I might add it to https://github.com/phpbb2premods, since I don't have that one archived yet.

Alas, that ShadowTek premod is way too early a version. If you open the .rar, you'll see it barely has any files at all, whereas the actual version with one_piece's mods adds a toooooon of files (just check how many adr_TownMap_*.php there are here in this repo!). (I made sure this wasn't just a bug in the google rar viewer and downloaded it on my local computer).

I need to check my own archive files...

[MWE001]

Yeah that is why I didnt want to elaborate any further on it. When I read the install and thanks file I saw that it required all the other mods to be installed first before dropping in his files and then running the db update. I knew I had one but didn't realize it was that early of one.

I am still digging in files and adding to the Drive as I go. I found another premod that has Town environment and all LOADS of files and mods (15 megs or so large) but it has no install file with it at all.

EDIT

I'm fairly certain that this one was supposed to be a full premod package and not as small as it is. Most of it is missing. The file I found is incomplete. I am guessing it is due to a hard drive recovery that went sideways on me a few years back. I am still battling bad files every since. I am looking at a folder now of what appears to be a premod folder that makes no sense at all for any other reason. I am trying to put 2 + 2 together and see of both folders come together to make the complete thing or not.

One of the major factors is ShadowTek was not the best person in the world at making notes in his install docs. He mentioned "Included files is = Many" SMDH .... lol If he would have said what ones........ I'm still working on it but believe I may have it narrowed down.

[MWE001]

Just a quick side note, I was never 1 to use Github successfully. I truly never knew how to use it. So if there is any way at all to start a regular post without cluttering up the "Troubles" option we have going here, I do apologize.

I just wanted to swing by and drop a quick note and mention that I have been adding English translation to ezArena. Some of it I may not be able to do and some may be so far embedded into it I may not know where to even go about trying to translate it. I am doign what I can as far as the lang_english folders go in the adr and base phpBB folders are concerned and adding some mod required edits to the base lang main and lang admin base files for phpBB as well. Some mods I am not finding. So it is going to be hit or miss once again as to what I can and can not help out with.

[vendethiel]

Always better than the current state of affairs.

On a semi-related note, I've been meaning to wait and see but I think it's been more than a week -- have you also been having latency issues on phpbb2refugees? Sometimes it takes more than 15s to load for me.

[MWE001]

I have not been by since I couldn't login that day when I was out and about and I was on my VPN. I have real issues with websites skirting security to keep spammers in check. Especially on a board that sees maybe a post a month or 2? I been meaning to drop back by but haven't. I have been up to my ears in things to do lately and without leaving myself a post it note, I will literally forget due to the very same reason I mentioned over there. But now that you mention it, let me go give it a try right quick. ....

I was immediately logged in right on the spot. As soon as I let off the key it was loaded.