What's New Dashboard Articles Forums Achievements Tournaments Player Map Trademanager The Promenade Volunteers About Us Site Index
Article Archives
First EditionSecond EditionTribblesAll

All Categories Continuing CommitteeOrganized PlayRules CommitteeDeck DesignsVirtual Expansions
Card ExtrasSpecial EventsTournament ReportsEverything ElseSpotlight SeriesContests
Strategy Articles


What's Going On With the Website?

by Charlie Plaine, Chairman

2nd July 2017

Many of you have noticed and expressed concern about recent issues with the site, including strange error messages and pages not working. We've recently been briefed on these issues from our Chief Technical Officer, Chris Lobban [Maelwys], and here is what he had to say:

First, background. Upgrading to the current version of PHP removed some security settings from PHP. Overall it's a good thing, but because I was inexperienced when I started programming the site many years ago, I took those security settings for granted. Once those settings went away, our site became vulnerable to SQL injection attacks (the kind that could make our entire database public, or just delete all of it... bad stuff). So as a result, I postponed updating PHP for as long as I possibly could.

But then, over the winter we had to update to HTTPS (better login security) and as a result were forcibly updated to the latest PHP as well. Which meant that we lost that extra security (yes, I understand the irony that updating our security cost our security). And so I started scrambling trying to go over every bit of code to seal those holes as best I could. And mostly, I failed at that because there are far too many scripts and I had far too little time. Luckily there didn't overall seem to be too much of a rush, since mostly we sneak under the radar by being a small site that doesn't attract much attention.

Unfortunately, over the last couple weeks that seems to have changed. In the last week I've seen 3 different signs that somebody was trying to breach various levels of our site security, as a result of this SQL injection vulnerability. So, I decided that we could no longer afford to wait and slowly convert scripts as we had time. Instead, I added a bit of code to instantly lock down all of the code and secure the site. With the side-effect that it also means some areas of the site will stop working until they're doctored again. It might end up being a bit of a harder fix as a result (which is why I hadn't done this the first time), but should make us more secure in the long run. I'll be working on what I can in the next few days to get the various broken stuff up and running again, or see if I can find a better solution to it. But in the end, this was unfortunately what was required to try to keep our site safe.

Thanks for the update, Chris. If you have any questions, please post them in the comment thread for this article and we'll do our best to answer them. But our IT team is on these issues, and will be fixing them as quickly as they can. If you notice an error message or other broken page, please let us know.


Discuss this article in this thread.

Back to Archive index