OOTP Developments Forums - View Single Post

Andreas Raht · 12-04-2008, 08:11 AM

Attention, online league commissioners! A security issue has been discovered in the online league dat files. The dat files contain the league server's FTP access information and if a hacker finds the username and password he could easily access your web space and do all kind of malicious things.

We will release a patched version very soon where the FTP information contained in the dat files is encrypted. It's currently in beta testing.
However, you know that each encryption can be hacked, so we strongly suggest that you hide your league files! Only GMs should have access to the league files. There should be no (public) link to the league file anywhere on your web space. That's easy to do and it will keep away the evildoers.

The perfect solution for the league file problem would be an extra subdomain on your web space where PHP/CGI/Perl/ASP is turned OFF and which has an extra FTP account that can only access that sub domain folder.

Please, all commissioners, do the following ASAP:

--- Change the FTP password of the web site which the GMs used for the online leagues NOW (i.e. the password which has been entered in OOTP). The
password must be replaced with another one IMMEDIATELY! If you cannot do that or if you don't know how to do that, you have to ask the admin of the web server, i.e. your ISP (Internet Service Provider) who hosts your web space.

--- Move the league file to a different place on your web server where NOBODY CAN FIND IT. Only the GMs may know the address of the league file! Nobody else should be able to find it. You could just rename the league file or move it to another folder. In OOTP 2007/8/9 there is an option to set the name of the league file. Just set it to for example myLeague_ahsfkas89df.tar.gz and nobody will find it except your GMs who will get the link to the file from you.

--- Remove the link to the league file from your homepage! Many online leagues publish the link on their web page for convenience, but you should no longer do that!

--- Message board software and CMS (Content Management System like Joomla) software used for the online league web sites should be updated whenever updates are available. Hackers find new security holes in that kind of software frequently, simply because they have the source code of the software.

We apologise for any inconvenience!!

Please also have a look at these threads:

http://www.ootpdevelopments.com/boar...e-leagues.html

http://www.ootpdevelopments.com/boar...ty-notice.html

12-04-2008, 08:11 AM	#1 (permalink)
Andreas Raht Administrator Join Date: Jun 2002 Location: Hollern/Stade/Germany Posts: 6,468 Thanked 1,088x in 415 posts	OOTP Online League Security Problem Attention, online league commissioners! A security issue has been discovered in the online league dat files. The dat files contain the league server's FTP access information and if a hacker finds the username and password he could easily access your web space and do all kind of malicious things. We will release a patched version very soon where the FTP information contained in the dat files is encrypted. It's currently in beta testing. However, you know that each encryption can be hacked, so we strongly suggest that you hide your league files! Only GMs should have access to the league files. There should be no (public) link to the league file anywhere on your web space. That's easy to do and it will keep away the evildoers. The perfect solution for the league file problem would be an extra subdomain on your web space where PHP/CGI/Perl/ASP is turned OFF and which has an extra FTP account that can only access that sub domain folder. Please, all commissioners, do the following ASAP: --- Change the FTP password of the web site which the GMs used for the online leagues NOW (i.e. the password which has been entered in OOTP). The password must be replaced with another one IMMEDIATELY! If you cannot do that or if you don't know how to do that, you have to ask the admin of the web server, i.e. your ISP (Internet Service Provider) who hosts your web space. --- Move the league file to a different place on your web server where NOBODY CAN FIND IT. Only the GMs may know the address of the league file! Nobody else should be able to find it. You could just rename the league file or move it to another folder. In OOTP 2007/8/9 there is an option to set the name of the league file. Just set it to for example myLeague_ahsfkas89df.tar.gz and nobody will find it except your GMs who will get the link to the file from you. --- Remove the link to the league file from your homepage! Many online leagues publish the link on their web page for convenience, but you should no longer do that! --- Message board software and CMS (Content Management System like Joomla) software used for the online league web sites should be updated whenever updates are available. Hackers find new security holes in that kind of software frequently, simply because they have the source code of the software. We apologise for any inconvenience!! Please also have a look at these threads: http://www.ootpdevelopments.com/boar...e-leagues.html http://www.ootpdevelopments.com/boar...ty-notice.html __________________ Andreas Raht andreas@ootpdevelopments.com Out of the Park Developments Out of the Park Baseball Development Team Title Bout Development Team