RunUO Community

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

PHP web control panel to RunUO shard

ntony

Sorceror
A C# script plugin for RunUO shard. Enriches features for RunUO shard remote admin system. Allow RunUO shard staff to manage their game server on web. The PHP web control panel connects RunUO shard using plain TCP socket. PHP scripts do not have to be hosted on the same server with RunUO.

Source code is hosted on Google Code.
URL: http://code.google.com/p/runuo-remote-admin-enrichment/

What does my script exactly does for you?

Basic remote admin features provided in RunUO official code:

  • Search RunUO game account implemtation incomplete in current version of web control panel
  • Add RunUO game account
  • Modify RunUO game account
    • Change password
    • Change access level
    • Ban account
  • Remove RunUO game account not provided in current version of web control panel
  • Add IP restriction to RunUO game account not provided in current version of web control panel
Enriched remote admin features in this project:

  • Broadcast on RunUO shard same as you broadcast in game using staff account
  • Save RunUO shard instantly
  • Restart RunUO shard
  • Shutdown RunUO shard
You may also add functionality of creating new RunUO account instantly to your shard website, using the PHP function library in this project.

For any problem report or feature request. Please do not put them on this thread.
For problem report, please use the issue report feature on Google Code.
For feature request, please contact me via email.
Thank you and welcome for any input!
 

Felladrin

Sorceror
Awesome idea, ntony!
It's pretty useful, no doubt.
I'll give it a try soon, and maybe I can help in the development.
 

ntony

Sorceror
Awesome idea, ntony!
It's pretty useful, no doubt.
I'll give it a try soon, and maybe I can help in the development.

Thanks for your appreciation! It was my idea, but RunUO got this idea earlier than me. I don't know whether RunUO intended to make it available on web or not. But there is RemoteAdmin script early RunUO 1.0. I just discovered them and make some more features on it. I would add you into the project, if you are willing to contribute to RunUO community and involve in this project.
 

Vorspire

Knight
This is really good work ntony, I've looked at your PHP scripts and you obviously know what you're doing with PHP, but I just felt a bit uneasy when I see that you store the connection information unsecured) in the Session data. Sessions can be intercepted and the PHP session cookie can also be breeched.

I just want to offer my advice when it comes to this kind of storage.
You should never store a username and password in a session, you should only keep the username and password data for as long as needed (which is simply just for the login process here)
Once the user has logged in, you should then store a value that indicates that they have passed the authorization and then let the script continue to function normally until that user ends the session.

Making this sort of modification in the context of RunUO, where PHP is state-less, is quite hard, since you are requiring that the login be made on every page load. You would need to have RunUO hold some information about the connection and how long it will stay open naturally, so that every time the PHP script connects, it doesn't need to supply the username and password, only the authorization key after the login.

This way, everyone has piece of mind and everything is a bit more secure, no worries about hacking and what-not.

Also, you'll be very pleased to know that PHP supports Object Orientation and the similarities between C# and PHP are pretty much unmistakable.

You can write a PHP class to contain your functions and you can make them public or private, local or static.
Using this kind of OO in PHP will allow you to add yet another layer of security to your scripts, since everything won't be contained in the Global scope of the script.

I understand that the things I have explained here may be a tad on the paranoid side, but when it comes to MY user's security and data protection, I will always go the extra mile to protect that sensitive information. Other than being required by law to protect my user's data, customer satisfaction and comfort is always my highest priority.

You don't have to heed my words, but I just hope someone doesn't discover an exploit with your system!
I'm willing to help you with any PHP related issues should you need it :)

Keep up the good work!

Just one *slightly* off-topic question...
Does the owner of any RunUO shard, depending on the nature of their server, have to register as a data controller under the Data Protection Act?
I would have thought it is a requirement for shards that take donations, because they are processing personal and financial information.
I'm going to be registered as a data controller from next month because I'm starting an official online business, but I will also be processing information to do with my RunUO shard and donation payments at some point next year.
 

tass23

Page
I agree with Vors on this one. Having used .Net and PHP in the past in web development, no sense risking unsecured connections if you don't have to. I do have to point one thing out though Vors:
I understand that the things I have explained here may be a tad on the paranoid side, but when it comes to MY user's security and data protection, I will always go the extra mile to protect that sensitive information. Other than being required by law to protect my user's data, customer satisfaction and comfort is always my highest priority.

You don't have to heed my words, but I just hope someone doesn't discover an exploit with your system!
For those that didn't know there was an exploit, now they do LOL
It's okay though, a few simple changes and pertinent info can be secured, at least as secure as anything can be over the Internet ;)
 

Iomega0318

Sorceror
Who Must Register?
Under Section 16 of the Data Protection Acts, 1988 & 2003, certain categories of data controllers are required to register providing that personal data is being held in an automated form (e.g. on computer). In order for Section 16 of the Data Protection Act to apply, the applicant must have a presence in this state.

1 Government bodies / public authorities
- excluding commercial state and semi-state bodies

2 Banks and financial / credit institutions
-this includes a person who holds or has held a licence under section 9 of the Central Bank Act 1971 or a person referred to in section 7(4) of that Act (other than an institution referred to in paragraphs (a) and (f) of that section), or a person authorised to carry on business in the State in accordance with the European Communities (Licensing and Supervision of Credit Institutions) Regulations 1992 (S.I. No. 395 of 1992).

3 Persons whose business consists wholly or mainly in direct marketing

4 Persons whose business consists wholly or mainly in providing credit references

5 Persons whose business consists wholly or mainly in collecting debts

6 Internet access providers

7 Telecommunications network or service providers
-within the meaning of the Electronic Communications Networks and Services (Authorisation) Regulations 2003.

8 Anyone processing personal data related to mental or physical health(1) (e.g. health professionals(2))(3)

(1) -Except where such data is processed within the terms of a code of practice approved by each House of the Oireachtas under Section 13 of the Data Protection Act 1988.
(2) -“Health professional” means a registered medical practitioner within the meaning of the Medical Practitioners Act 1978 (No. 4 of 1978), a registered dentist, within the meaning of the Dentists Act 1985 (No. 9 of 1985) or a member of a designated profession within the meaning of section 3 of the Health and Social Care Professionals Act 2005 (No. 27 of 2005).
(3) -This applies only to data controllers processing personal data related to mental and physical health; where a health professional is an employee of a data controller (such as a hospital), the health professional is not required to register separately from the data controller. Health professionals with private patients who are using facilities made available by another data controller (such as a public hospital) are required to register.

9 Anyone processing genetic data(1) (2)

(1) within the meaning of section 41 of the Disability Act 2005.
(2) Data controllers who intend to process genetic data for employment purposes must obtain specific approval from the Data Protection Commissioner in accordance with Section 12A of the Data Protection Acts 1988 and 2003 and pay the prescribed fee.

10 Anyone whose business consists of processing personal data for supply to others, other than for journalistic, literary or artistic purposes (1)

(1) Except where such data is processed within the terms of a code of practise approved by each House of the Oireachtas under Section 13 of the Data Protection Acts, 1988 & 2003

Probably wont need to register.
 

ntony

Sorceror
You would need to have RunUO hold some information about the connection and how long it will stay open naturally, so that every time the PHP script connects, it doesn't need to supply the username and password, only the authorization key after the login.

This way, everyone has piece of mind and everything is a bit more secure, no worries about hacking and what-not.

Thanks a lot for your advice, Vorspire. It's very good to have security advice that has been my concern of this project. But making able to connect without username and password isn't making it more secure but introducing other security issues that lets people to play man-in-the-middle attack, session hijacking, or using fake credential. Yes, there is another more vulnerable point, the credential data is transmitted in plain text. Even the official release of RunUO server itself. Shard owner can apply custom script to make it possible to use EA's official encryption. But it's useless to do so, because you know the key you know to crack. So, the security consideration is a very tough topic on RunUO. But it's always good to talk about it. At least I can make it a little more secure.

I had discovered that PHP couldn't retain the TCP connection to be connected even I keep the connection object into session. How much more security does "encapsulating the username and password into a PHP class" provide? I didn't study much about OO PHP and security on OO PHP. Please advise or point me to topic that I should study.

Thank you for this very useful advice!
 
Top