The online racing simulator
New Style LFS Join Links
1
(31 posts, started )
New Style LFS Join Links
Hello Hosters,

Now that Z28 and its installer provide a way for anyone with an installed LFS to use lfs:// links without installing an external program, I thought it would be a good idea to explain how to make those links that you can put on any web page. They are different from the old ones used by the "LFS Join" program.

The basic idea is :
lfs://join=hostname

For browser compatibility you must use %20 instead of any spaces.
So if your host name is "my host" your link would be :
lfs://join=my%20host

You can also include a password (for example if you are making a link to a private host from a private forum).
The /pass command is used in that case, for example :
lfs://join=my%20host/pass=password

And that is basically it for most hosts. You do not need to include colour codes. However, you need to take care of special characters. For example ? and # have special meanings in a URL so you should use ^q and ^h in their place. Also a / character (slash) in a host name would be interpreted by LFS as the next command on the command line, so you must use ^s in place of the slash.

The full list of special characters is :

* -> ^a
: -> ^c
\ -> ^d
# -> ^h
< -> ^l
? -> ^q
> -> ^r
/ -> ^s
" -> ^t
| -> ^v

Also note that some browsers do funny things with characters above 127. So for those high characters you should again use the %xx encoding (as you do for spaces) where xx is the two digit hexadecimal value of the character.

Finally, if your host name uses a non-latin code page you should use the ^X that LFS uses. E.g. ^J for Japanese and ^C for Cyrillic. One way to work this out is by entering a host name in LFS, in the Start New Host screen. Then exit LFS and open cfg.txt - you will see the language-encoded host name beside the "Game Name" field.
Couldn't webmasters abuse that by e.g. putting lfs://join=server%20name/insim=31337 this way creating InSim backdoor on PC of user who clicked the link?

Or e.g. executing commands like /speedreduce, /ff, /button, /say, etc? :3
A link can contain a /insim command, that is true. Maybe we should have excluded that. I'm not entirely sure what the security implications of that are, but the website owning hacker would need to find an LFS user who has opened a server port in their router, or are nutty enough to use a computer without either a router or software firewall, and then get them to click his link.

The other commands you mentioned can't be used - the only ones available on the command line are those documents as command line commands, in the first list of docs\Commands.txt and the /join command which doesn't seem to be documented anywhere.
Quote from Shadowww :Couldn't webmasters abuse that by e.g. putting lfs://join=server%20name/insim=31337 this way creating InSim backdoor on PC of user who clicked the link?

Or e.g. executing commands like /speedreduce, /ff, /button, /say, etc? :3

That is assuming that the program accepts any other arguments other then join and pass from join links.

Quote from Scawen :Maybe we should have excluded that. I'm not entirely sure what the security implications of that are, but the website owning hacker would need to find an LFS user who has opened a server port in their router, or are nutty enough to use a computer without either a router or software firewall, and then get them to click his link.

I think the security implications are minimal at best, so long as the port is not a common port (Port# < 1024), and it's only connecting to the LFS instance, that might allow remote commands to be run, but only within LFS. I think this is minor, at best. Anyone else want to weight on from a security prospective, I think this topic could become quite interesting.
My suggestion is to change the association to include /weblink (LFS.exe /weblink %1) or something to let LFS know it wasn't started from regular command line and only allow the join and pass parameters.
Quote from morpha :My suggestion is to change the association to include /weblink (LFS.exe /weblink %1) or something to let LFS know it wasn't started from regular command line and only allow the join and pass parameters.

Ok, I see where your coming from, your saying that if the LFS.exe get's a join link from a weblink then by the LFS.exe knowing that it's coming from a weblink via the /weblink parameter, then the LFS.exe should only allow read the join and pass parameters and ignore anything else passed.

I accept that as a possible solutions, but I still don't see a compromise of security that warrants this kind of attention. Anyone find it that big of a deal that commands within LFS can be run remotely providing that your not running a firewall in the first place.

I guess it is the computer experts (in this case the programmers) job to protect the naive user from other malicious users.

Can anyone think of a legitimate reason for users being able to run remote commands on an LFS client? I think it might help leagues by enforcing intake / engine restrictions on their clients. Might give piece of mind to the other clients in the game.
Thanks a lot for this, it's very useful for me now
Thx, finally...
Quote from Dygear :I think the security implications are minimal at best

If upnp (Univeral Plug and Play) didn't exist or home routers that support it didn't have exploits (such as pre-auth XSS), or if people actually changed default passwords, I'd agree.

There's a technical talk at GnuCitizen about one such exploit on the BT Home Hub.

If you can't be arsed to read it the general jist, in this context would be:

1. Malicious user sets up a webpage with LFS join links containing /insim params. The page also includes code to attempt to exploit the connecting user's router via unauthenticated upnp triggering (i.e. using cross site scripting to setup port forwarding for 29999)
2. User clicks on the link, and the malicious webpage records this
3. Server side component notices this change and tells the malicious insim client to connect to that user's external IP, in the hope that the upnp hack has worked
4. Profit?

Granted this isn't an actual proof of concept and there's absolutely no guarantee that it would work (given that it relies on either default passwords/exploits in the firmware and guessing the routers internal IP), but theres always a possibility.

And bear in mind I only keep up with the basics of breaking into stuff - someone who really knows what they're doing could've easily come up with something that might actually work more reliably.

After that it just takes an exploit in InSim and away you go grabbing licence details. Or you could just make them say random stuff via insim
Problem
In Earlier versions of LFS I used the program called "JoinLFS" but now the link syntax doesn't work anymore with it.

Then I uninstalled JoinLFS and firefox didn't work when trying to join a host displaying:

File Not Found
Firefox can't find the file at lfs://join=LFS.cl%20S2.


Where can I config this manually in firefox?

Thanks in advance!
Tools > Options > Applications
Thanks!
the angry angel, most home users don't have a router. They have direct wire from modem to PC, so portforward hack isn't even needed.
In the USA 95% of people have routers... maybe where you live they dont.
I am talking about Europe, not about USA where people like to spend money on useless sh!t.
90% of users in the UK have routers shadow, mainly because they are built in with the modem for most UK ISP's and are given out free.
Quote from franky500 :90% of users in the UK have routers shadow, mainly because they are built in with the modem for most UK ISP's and are given out free.

And I'm pretty sure the same applies to most of (central) Europe. I don't see why routers are useless either, after all, most households with internet connectivity also have more than one internet-capable device. Besides, routers are very versatile, if not for the routing, they're useful as hardware firewall.
Quote from franky500 :90% of users in the UK have routers shadow, mainly because they are built in with the modem for most UK ISP's and are given out free.

Here modem with 4 ports gives one external IP to each port so no need for router. Didn't knew they only give one IP per modem in UK.
research can go a looooooong way
Quote from Shadowww :Here modem with 4 ports gives one external IP to each port so no need for router.

Thats interesting to know. Although with the right IP range given to you and the right home router it's possible to emulate this setup in the UK (if anyone's interested).

Out of interest is that truly a common, out of the box, setup over there shadowww? Also does the appliance they give you do any form of firewalling out of the box?
Quote from the_angry_angel :Out of interest is that truly a common, out of the box, setup over there shadowww? Also does the appliance they give you do any form of firewalling out of the box?

Yeah, they do it that way (fiber optic providers), and tell customers if I need to connect more than 4 PC's (international 100mbit so quite possible), then they need to buy a router or hub.

And they give 90 day trial of some firewall, but I wasn't interested (using COMODO Firewall already) so I told them I don't need it.
And how much is your 100MBit/s conn? Around here the best fibre you can get is 100/10 for 75€/month and it's only available in Vienna :sadbanana
$14/month for 100mbit half duplex.

200mbit half duplex, which can be easily turned into 100mbit full duplex, costs $16/month here.

500mbit half duplex is $100/month :sadbanana
Quote from Scawen :Finally, if your host name uses a non-latin code page you should use the ^X that LFS uses. E.g. ^J for Japanese and ^C for Cyrillic. One way to work this out is by entering a host name in LFS, in the Start New Host screen. Then exit LFS and open cfg.txt - you will see the language-encoded host name beside the "Game Name" field.

^1^J��^0edline ^1^J��^0acing 8
^1^JÉÏ^0edline ^1^JÉÏ^0acing 8
ノマedline ノマacing 8
ノマedline ノマacing 8
^JÉÏedline ^JÉÏacing 8

This should be fun to parse.
I think using non-latin chars in hostnames is monumentally stupid to be honest, makes it practically impossible to "Join specific host", cause who's got the time to find "ノマ", especially since as a user, you don't normally know which charset it is in.
In Redline's case it also ruines the sorting by name, you'd expect it to be under "R" but no, it's a Japanese pseudo-"R" :nol2:
1

New Style LFS Join Links
(31 posts, started )
FGED GREDG RDFGDR GSFDG