Quote:
Originally Posted by f.montoya
Even that doesn't solve this issue. I've seen 2 of my sites with altered (OOTP generated) index.html pages with an ****** inserted. The hole you saw is EXACTLY how the bad guy is getting in. He either plays OOTP or spent enough time around here to get enough info on how to do this.
Even if you use a limited FTP account, the ****** can still get into the OOTP reports. If this happens, you run the risk of allowing a trojan type virus to get into several league members' computers.  |
Been having a bit more of a think about this, and I think the following is something that should be seriously considered for OOTP10
The Online leagues work on a two-way FTP system and both the commish and the GMs have 'access' to the FTP settings (access defined as the means of getting hold of them)
The only need a GM has for FTP is really to upload their team export. There isn't necessarily a need to have an FTP download - it should be possible to do it via HTTP.
The game should have two FTPs - one for the commish and one for the GMs - and when the commish runs a sim and creates the .tar.gz file for the league it just strips out all the information pertaining to the commish FTP so the only FTP information that gets passed to the GM is the details he needs to export his team.
Then this export FTP can be given access to just one directory and there's nothing in there that can be exploited as it is just basically team_nnn.ootp files.