Member Discussions

Hey folks,

In case anyone's interested, I've repackaged and re-released a very early alpha version of our codebase, and made it available for download on our website. To my knowledge it's the only publicly-available RPI codebase, and it includes features such as a character application system, a realistic combat system, wounds-based damage representation, skill-based and levelless/classless character advancement, archery, complex player literacy, numerous languages and scripts, a powerful soft-code crafting system, description-only social interaction, and a ton of other stuff I can't even remember.

As it is an -alpha- release, it is rather rough, and quite unstable; however, with a decent amount of work from a persistent coder it will form the foundation for an excellent RPI MUD, as you're welcome to see for yourself if you log into our current server at arda.middle-earth.us port 4500. It is written in C, and is a highly modified version of the original DIKU GAMMA server.

If you're interested, you may download it here. I've also sent it along to Kyndig to post in the code repository at MudMagic.com.



Have fun,
T.

Just a fair warning to anybody who might decide to use this: cursory inspection of the code reveals a massive security hole. Observe:


Shadows of Isildur
------------------
,
,-`;
, ; ; , E)nter Middle-earth.
, `'''' ''''` ,
, ,-'````, ,````'-, , R)oll up a new character.
`` ,'`` ``', `` D)elete a pending application.
' ,`; ;`, ' V)iew your characters.
`,`,; ;,',`
,'` , ,` C)hange this account's registered email.
-, '`,-'`; ;',`, , M)odify your account's login password.
`,,'` ; ; `,`,` A)NSI color on/off.
; ; ` T)erminate this account.
; '-
; '` S)end the staff account an email.
` ` H)obbit-Mail: reach out and touch someone.
, '
,'`:, ' L)og out from the MUD server.
, - `

Your Choice: C
Your registered email address: ;echo FOO@ >
Enter the desired email address: ;echo FOO@ > /home/eiz/BAD
Is ;echo FOO@ > /home/eiz/BAD correct? [y/n] y
Your email address was successfully updated.
...
keepers$9:38:23% cat ~/BAD
FOO@ save/accounts/a/Admin save/accounts/e/Eizneckam


This is of course caused by the fact that user input is passed, unverified, to popen in nanny_change_email, which passes its arguments unmodified to /bin/sh.

Thanks for the heads up, Eiz. I'll go ahead and plug that. :)

We haven't actually used the filesystem-based account setup on our live
server for over a year or so now, so it's been awhile since I looked at that
code.


Cheers,
T.

Okie dokie.

I'm not going to get into the habit of actually maintaining this, as I'm
releasing it more of a favor to the community than anything else... but since
this was such a serious issue I went ahead and fixed it, and double checked
all the other popen() calls in the sourcecode as well.

If you happen to notice any other big issues, Eiz, I'd really appreciate an
email. I don't check these forums very often, and I probably would have
missed this post if Kyndig hadn't alerted me to it.

Thanks again. :)


-T.