Game Development Community

Security Issue: Control Panel.

by Chris "DiGi" Timberlake · in Torque Game Engine · 08/06/2005 (4:12 pm) · 3 replies

Edit: For Clearity.

Ok, when you enter a bad name in the GUI Editor, it opens up information the same as the Tree(); Command. (This has been fixed in 1.4 i hear)

I was storing my mysql info on the client side, because i couldn't figuare out a way to make the connection global. So i stored it in a GUI Control (My Bad)

So in other words, if you create a GuiControl named Control Panel, you can see everything client side and can edit it.
NextNext Thread
PrevPrevious Thread
More from Torque Game Engine


Torque Owner Stefan Lundmark
#1
08/06/2005 (4:26 pm)
I'm curious about this, but I also can't understand what you're saying, I'm afraid. :(

What does this have to do with TGE? It sounds perfectly normal to me.
You never keep the database critical information on the client, if you want it safe. Maybe that's not what you were talking about though.

Associate Kyle Carter
#2
08/06/2005 (4:27 pm)
After further discussion with Chris, it turns out the root bug here is that in the 1.4 HEAD inspector/treeview, if you set the root of the local GUI hierarchy to have an invalid name it bumps the inspector to show the RootGroup, and thus all the GUIs and other objects in that instance of the engine. This allows you to inspect any object in the system (much like the tree() command does), and in Chris' case, was exposing a lot of information that he had client-side that probably shouldn't have been there.

The bug appears to be fixed in 1.4 trunk (and thus will be in 1.4RC2 as well); as for the implications of storing sensitive information client side, well, that's a bigger problem than Torque can address. :)

Torque 3D Owner Chris "DiGi" Timberlake
#3
08/06/2005 (4:28 pm)
Yea, i was a bit flustered when i wrote this, heh, seeing that client info can be displayed isn't pretty.