Feb 2021 vulnerability reports

At the start of 2021 three vulnerability reports were published describing alleged SmartFoxServer 2.17.0 (the latest version as of March 2021) exploits. We exchanged several emails with the individual who created the reports prior to their publishing, pointing out evident flaws in the findings but they were still published without correcting those glaring mistakes.

The reports

The following are the reports in question:

They all refer to a so called “God Mode Console”, an additional Admin Tool module which is always inactive by default in any SmartFoxServer installation. The module can be activated by an Admin via multiple manual steps and it can be used to debug a live server at runtime, typically when a bug or issue cannot be reproduced locally but it manifests in a live environment.

NOTE: the console cannot be activated or remotely accessed. It requires the server admin to manually activate it and use it.

Given this premise it goes without saying that the first “vulnerability” report is a just an example of bad security reporting. The whole point of the console is to execute arbitrary commands and an attacker that has local access and credentials to enable the console is already in control of the target server. Even after explaining these points to the “researcher” prior to publication, he went ahead and posted the alleged exploit.

The 2nd entry in the list claims that the Admin password is stored in clear text, which is correct, and flags it as medium threat. We agree with the claim and we can also provide further details: there aren’t many better ways to secure such password and a clear text file can be efficiently secured by way of user permission management.

For more info on securing clear-text passwords, please take a look at this discussion on StackOverflow.

The 3rd and last entry reports an XSS (cross site scripting) exploit without actually showing any evidence of the “cross site” part. As already clarified this is an admin-only console that is not accessible to the outside world and disabled by default, but the author willfully ignored it and reported it as a vulnerability.

If there’s any other questions regarding these issues you can get in touch with us via the support section found on our website.

SFS 2X 2.17.0 is available!

We have just released SmartFoxServer 2X 2.17.0, codenamed “Flash Farewell” as we have cut the remaining ties with the old Flash-based Admin Tool.

It seems that many users forgot about the termination of Adobe Flash on Jan. 12th 2021 and have found themselves unable to reach their servers with the legacy Admin Tool. This release is particularly targeted at those users, as it packs all the recent updates in one installer.

Read more about installation and migration to SFS2X 2.17.0 in our forum post.

Download and release notes.

How to deploy a game in Overcast

In this third article in the series dedicated to Overcast, the cloud solution for SmartFoxServer 2X, we will focus on the deployment of your games onto a cloud server.

For this purpose we will use one of the existing SFS2X examples, the Tris game (aka Tic-Tac-Toe), which we released for almost all supported platforms. We will refer to the Unity version of the example, but all the concepts relevant to the purpose of this article apply to any version.

If you are new to SmartFoxServer, don’t worry: we will also provide some context and guidance to get started!

Continue reading

Launching SmartFoxServer in the cloud

In early November 2020 we have launched a new cloud service called Overcast which joins the family of SmartFoxServer products.

In this short series of articles we will be taking a look at how Overcast works, how to get started and and how it can help new or existing projects based on SmartFoxServer.

Continue reading

The SmartFoxServer Cloud is here!

We are happy to announce the launch of Overcast, a dedicated cloud-based hosting service for SmartFoxServer 2X that provides a complete stack to build and run rich multiplayer games at any scale.

With Overcast developers can deploy any number of SFS2X instances in the cloud, world-wide, with a simple web-based interface. Each instance runs in its dedicated server with unlimited CCU and provides 100% of the SmartFoxServer 2X features.

For a full presentation of the service make sure to read this introduction to Overcast.

Adobe Flash will be retired at the end of 2020

As announced a few years ago, Adobe has been working on the gradual retirement of the Flash technology from the web in favor of open standards such as HTML5, WebGL etc.

Officially December 31st. 2020 will be the last day for the Flash platform, after which it will be removed from the Adobe website. This means it won’t be available for download any more, nor there will be any form of support or updates from Adobe.

How does this impact SmartFoxServer and its users? Let’s find out.

Continue reading