The code security audit has been completed in a relatively short amount of time, thanks to the robust and reusable programming features of the original promisance and FAF.
===Results===
In total, 28 SQL injection vulnerabilities were found in the codebase.
Of these, 22 were severe.
The other 6 would have required another exploit to get working.
It is estimated that 14 of these exist in other Promisance variants, such as QMT and RWL.
A total of 288 function calls were investigated and marked as secure or fixed.
A total of 384 lines of code were changed.
[s]N.B. A significant non-SQL related vulnerability was found: users could arbitrarily run crons in the game. This hole has now also been closed.[/s] <span style='color:blue'>Please note that this claim has been invalidated by stricter bounds-checking in the game. This was NOT actually a vulnerability.</span>
No vulnerabilities have been disclosed to the general public. We are working hard to get a stable version out so all users can upgrade.
Users who have downloaded and run our game are encouraged to contact us to obtain a list of the vulnerabilities for private use.
~The Beatles
Code Security Audit
-
Members connected in real time
