OOTP Developments Forums - View Single Post - Hacker possibly targetting OOTP online leagues

Alan T · 12-04-2008, 08:23 AM

I think that people who assume the patch will magically fix their security issue will be let down a bit. What it sounds like the patch will be doing is fixing the hole where the login information/password is viewable within the league dat file in clear text if you look for it. I assume that the patch will be using some form of encryption within the league file so it is not viewable for someone who downloads the file. With the type of encryption that I would assume they would use here, keep in mind that many forms of encryption can still be broken by someone who really wants to do so.

Even without looking through the league file however, it is still extremely trivial getting a ftp account name and password if someone who has ootp9 downloads the file due to how the FTP protocol works. Any person with fairly basic understanding of ftp packets on a network wire could probably still get it, and this is something that can not be patched. It would require a completely different protocol (SFTP for instance) to fix this issue.

Ideally to protect yourself against this type of thing, you could make sure absolutely no one had your league file except for your trusted owners in the league. That is fairly impractical though for most leagues I assume.

To protect yourself, you should create an FTP user account on your ftp server that -only- has access to the import-export folder on the ftp server which contains the team files and the league file and nothing else. Use that account in your ootp league file and it would limit any exposure to the rest of your site. The problem this causes however would be extra complications in updating league html files which would have to either be done manually, or by manually changing the account username/password for the report uploads each time before doing it.

Anyhows, just wanted to make sure it was known that as long as FTP is used, someone competent enough to know how to write a virus/trojan would likely know how to exploit FTP to still get the same information even if it is encrypted within the league file.

12-04-2008, 08:23 AM	#104
Alan T All Star Starter Join Date: Mar 2002 Location: Mass. Posts: 1,963	I think that people who assume the patch will magically fix their security issue will be let down a bit. What it sounds like the patch will be doing is fixing the hole where the login information/password is viewable within the league dat file in clear text if you look for it. I assume that the patch will be using some form of encryption within the league file so it is not viewable for someone who downloads the file. With the type of encryption that I would assume they would use here, keep in mind that many forms of encryption can still be broken by someone who really wants to do so. Even without looking through the league file however, it is still extremely trivial getting a ftp account name and password if someone who has ootp9 downloads the file due to how the FTP protocol works. Any person with fairly basic understanding of ftp packets on a network wire could probably still get it, and this is something that can not be patched. It would require a completely different protocol (SFTP for instance) to fix this issue. Ideally to protect yourself against this type of thing, you could make sure absolutely no one had your league file except for your trusted owners in the league. That is fairly impractical though for most leagues I assume. To protect yourself, you should create an FTP user account on your ftp server that -only- has access to the import-export folder on the ftp server which contains the team files and the league file and nothing else. Use that account in your ootp league file and it would limit any exposure to the rest of your site. The problem this causes however would be extra complications in updating league html files which would have to either be done manually, or by manually changing the account username/password for the report uploads each time before doing it. Anyhows, just wanted to make sure it was known that as long as FTP is used, someone competent enough to know how to write a virus/trojan would likely know how to exploit FTP to still get the same information even if it is encrypted within the league file.