Still, I've found multiple flaws while developing pyspades and submitted them to Aksoy, and that has really only made the game better (the server identifier and the caplimit protocol bug, etc.).

Ok, that's a fair point. I don't really know how that all balances out.

(As to the "pyspades is worth it", at heart, the axe I might be grinding here is it just feels disrespectful to engage in the cliche "my open source project is a clone of this closed source project" while the closed source project hasn't even shipped (and to rely on some of the interop with other still-beta closed-source components for the complete experience), but that's not really my business as much as it Ben's, and I certainly can't claim to speak for him so really what's the point, and I should just keep my mouth shut.)

i think dan was being far too harsh there, and bob is right, for once.

nothings: I do recognize that it would have hindered the exploit for several months if we had assumed the servernames weren't escaped earlier. I wouldn't mind taking that "blame" myself.

I think that not finding these security flaws (through a positive project like pyspades or similar) would only serve blackhat hackers, since they definitely won't tell how they're exploiting servers. It will be harder to find the exploit in C than in Python. I admit that pyspades makes it easier for anyone to find flaws like this, but those *can* be fixed by Ben, and definitely should be. I don't like the "it's secure as long as nobody know how it works"-mentality, since when the blackhatters arrive, you're usually very, very screwed, and the game can potentially die or lose a lot of players (I've seen this happen). Writing good protocols for FPS' that don't rely on the client-side at all is admittedly not trivial, and several popular games deploy a similar mentality, depending on for example PunkBuster for protection. Still, I've found multiple flaws while developing pyspades and submitted them to Aksoy, and that has really only made the game better (the server identifier and the caplimit protocol bug, etc.). I don't think you can deny that. There's even a chance Ben wouldn't have found these bugs himself (bit-packing can be tricky).

I don't know why some specific people think that developing pyspades is not 'worth it'. It is for me and it always will be, so unless you're trying to make some other point than 'stop pyspades development now please', please enlighten me ;) I think collaboration is a much better way to success, especially in regards to network protocols and design. If we get major client-side hacks on the servers again (like a few months back), we're not completely helpless, and we won't have to rely on a new server.exe to be released. We can identify the exploit, send a message to Aksoy, implement a fix quickly, then push it to the repository (which would probably serve as instructions to him).

bcoolface: Thanks!

so the problem is permenatly fixed?

Ah great. Thought it was a simple thing - thanks Ben!

I sanitize the server names now - and didn't even need a master server reset so all is good.

It wasn't PySpades fault, or its developer's fault, or Ben's fault. It was the fault of the douche who figured out who can use URL's in PySpades for the server link, and used a porn URL. This could've happened with any custom server program, but PySpades had the most flexibility/ capability of doing the bad deed.

However, from playing on Sham's server I think that PySpades is very well programmed and has neat add-on's to the game that other servers don't have, such as streak counts, following other people (spawning next to them when you die), and airstrikes which heal your team and attack one square of the enemy's.
PySpades should not be removed from Ace of Spades.

Mr. nothings, you think that the problem resulted because the pyspades software had its sourcecode available? One of the arguments for free and open source software is that the more eyes looking at source code means the more eyes looking for bugs and security holes. It's better that this hole was found now, rather than later, because that means that it can be fixed relatively early on.

Don't blame the developer of pyspades for Mr. Aksoy's mistakes, please!

Here's the reality on the ground as I see it.

Ben's master server has a dumb security bug because he relied on his server.exe to do the HTML cleaning. This could in theory have been exploited by anyone, but the target market of aos players is very small so its highly unlikely that a black hat would have bothered reverse engineering the protocol and coming up with that exploit independently.

The developer(s) of pyspades did the reverse engineering work (for other reasons). They also released code that was usable that made it ridiculously easy for script-kiddie sorts of people to perform this exploit (though obviuosly they released the code for other reasons).

None of that was the pyspades developers' intent, and it wouldn't matter if the master server didn't have the dumb bug. Nevertheless, Ben's poor security practices were made a lot more vulnerable in practice by the pyspades development.

Given AoS is in beta, it's not surprising that Ben's stuff has security flaws. So this just confirms my opinion that I think the developers of pyspades have a made a poor choice in terms of serving the community by open sourcing their own server, esp during beta. I'm not saying the bad behavior is their fault (the fault lies with Ben's bug and the script kiddie idiots). But I don't think they're being realistic in these threads about the consequences of their actions.

And there may be other consequences. For example, maybe there are bugs in the client that can be exploited by bad servers. Pyspades gives a theoretical black hat a head start in trying to exploit those bugs. Maybe not as big a deal in this case (since they have to look for exploits in the client, they have to already be comptetent, not script kiddies). But that's just one possibility, and maybe there are more possibilities we haven't thought of (just like nobody'd thought of this one two days ago).

To sum up, while none of these are the pyspades developer's "fault", i have to wonder: do the advantages to the community of the existence of "good" pyspades servers really outweight all the possible downsides of the existence pyspades for the community, one of which we're seeing right now?

I mean, the cat's out of the bag anyway, it's not like anyone, including pyspades developers, can do anything about it now. But I wish they would recognize their contribution to the situation instead of passing the buck 100% in multiple threads.

Less logical fallacies and grammatical errors, please, Mr. danhezee! Allow me to point you to Rule 3.7, which reads:

Please try to use proper grammar/spelling as it makes it easier for other users to understand you.

If these are not assumptions, but things that Mr. Aksoy has told you, please ask him to review his books on formal logic! Attacking Mr. mat^2 without grounds isn't very nice, and since you've been doing it repeatedly, it's abuse, which goes against Rule 3.2, which reads:

Refrain from posts that contain directed abuse/racism/overuse of swearing.

Even if pyspades is fixed, the old versions are available, and ultimately someone could just directly connect to the master server with their own custom code.

As is always the case with web development, you can never ever trust input from a client.

I'd just hope that everyone saying "user accounts is the easy solution!" will pause for a moment and think about what has happened here. Its not a quick easy job to build something like user accounts. Making it work properly and making it secure is not a walk in the park as this episode has hopefully demonstrated.

Its called software engineering for a reason, not software dicking-around.

@mat^2:
The normal server has protection against links/tags being inserted into it..

Due to pyspade's open-sourced nature, any measure set in place could be over-ridden by users. I think that a little routine to remove links should be made in pyspades, but it is a definite must that the website has the escape characters!

danhezee: I do know how exploits like these work (I don't know why you think I'm incompetent). I don't deal with the master server's HTML output, so pyspades isn't in charge of sanitizing the server name (escaping the servername it in Python would be cgi.escape(), though). Again, once the servername is escaped, the issue will be gone forever.

I think you're getting a bit too upset on this discussion to realize how simple the exploit (and solution) really is :)

You dont know how it works, if you dont go on the page you are ok. You dont know a thing about XSS. you googled after I mentioned it. You dont even know how to sanitize a server name.

the iframe points to x.vu/zzz3 you go there and tell me what is on it. Tell me if there is javascript. I am not going it and I am not going to the Play page. And the reason I am not going on that page is you dont know how to sanitize a string. Thus leading me to believe there are lots more problems in the future with pyspades.

danhezee: I'm sorry, but now you're just being weird. Maintaining a game with a protocol that is constantly moving is not feasible. The "aos" URL simply opens client.exe on the server in that number. It cannot link to other software, viruses or whatever.

that means the protocol will be rewritten. and there will be constant rewrites until you grow tired of it. It is that simple. Dont be dense, you know that aos://000000 can link to other software beside the vanilla server. Pyspades currently does it what is going to stop anything else from doing it.

danhezee: I still don't think you know how the exploit works. It's a very simple XSS exploit that can be fixed by Aksoy by adding approximately 10 characters to his server output routine. Once the output is sanitized, the issue is gone.

it most likely was just an image. but it could be anything, currently there is an iframe which could load a virus or not. The best thing to do is avoid the Play page. search for spadille it will let show the server without the danger.

I don't see why my precious ServerBot is being brought into this fight ._. he's never done anything wrong! All server configuration is setup using the original, unmodified, server.exe. It's simply an addon. ._.

danhezee, what are you talking about? Once the master server exploit is closed by Aksoy, the exploit doesn't exist anymore. Also, you can't 'lock-out' a protocol implementation or a memory editor. It doesn't work like that. There is nothing malicious about pyspades/ServerBot. I'm not sure where you're getting that from.

What was this "goatse" problem exactly? Like a virus? or did a picture of goatse just pop up? like I need to know before I start hating psyspades(loljk)

Well once this gets fixed what is going to stop someone from creating malicious python code that will be listed in the browser, nothing unless complete and total lockout of third party software.

^^ lol yeah it was totally /b/

SealyStar: Thanks a lot ;)

danhezee: Again, this would inevitably have happened. There is nothing dangerous or insecure about ServerBot/pyspades. People won't get viruses with the third-party software (?). I would like to hear this 'no mods'-statement from Ben :)

Yeah. I'm not even going to visit the "Play" page until this gets cleaned up. It's simply too dangerous now. The scum of the earth have found the site.

I willing bet that because Mat said it is 100% Ben's fault. There are going to be active measure to prevent third party software now. Which is going to delay development and the new features everyone wants will have to wait because it is going to be too dangerous, too insecure to allow any unsupported modification. The player basically has to have good faith that they wont get a virus from this game with the exploits pyspades so elegantly brought to light today.

Yup. Even if a quick, temporary fix requires disabling ALL server mods and add-ons, it'll be worth it to get rid of this trash.

banning psyspades would only be a temporary solution.

for the time being i guess just use spadille or some other sever thing that doesnt allow imagry.

It still needs to be disabled. Have you SEEN the crap people are uploading? It's bluntly ridiculous, and desperately needs fixing.

I wouldn't say I HATE pyspades (it's not the scripter's fault people are being complete jerks with his/her code), but it definitely needs to get fixed. This is ridiculous.

Furthermore, it seems the ad potential is leaking over into the forums. PySpades, however unwittingly, has let horrible things into the AoS community, and desperately needs a disable. Ben, please disable any modded servers, at least temporarily, until this can get fixed.

It works a lot more gracefully than serverbot or vanilla, it was not responsible for the goatse, and it isn't inherently evil.
Thank you.