Monthly Archive for January, 2014

Squidwolf > Blog > 2014 > January

Patch Notes for Transforming Experience 2.2.1

30.01.2014 21:20

To be deployed during Scheduled Downtime on Friday, 31 January 2014 at 1800 GMT.


  • We are beginning to split our two support departments.

Squidwolf Voice Developer ALPHA

  • We are now opening the Developer ALPHA of Squidwolf Voice.
  • Uses the Teamspeak software.
  • Access for the Developer ALPHA sits at £100.
  • The Developer ALPHA expected to last until shortly after the deployment of Zero Rotation.


  • We are renaming the premium currency store to “PotionStore”.
  • Server Status now displayed on the store.
  • HazelCredits will soon be renamed to PotionCredits.


  • Faction territories are now displayed on the map.
  • Mobs now appear on the map.


  • We have begun to remove missions which depended on the “Epic Boss” API since that project is no longer maintained.
  • All “Kill” mission targets are being replaced with standard Mobs.
  • Mission series successes are now rewarded with HazelCredits.


  • Capture Points are now being introduced to the server.


  • “Cookie Clicker” added.


  • Issues with mobs spawning during the day have been fixed.

Exploit Fixes

  • Issue fixed where character could get Moderator by killing the same player in quick succession.
  • Repeatedly spamming the /back command no longer sends you to The Nether.

Account Management

  • Case #2557 – 2Checkout Gateway: Update to currency variable
  • Case #2623 – Fix calculations of promotions when more than 50% off
  • Case #2739 – Add TLD Specific Fields required for .CN domain registrations
  • Case #2874 – Echeck: Fix capture function behaving incorrectly
  • Case #3019 – Refine internal criteria for bulk domain lookup
  • Case #3030 – Resolve SQL error in Income by Product Report
  • Case #3086 – Nominet Registrar: Update to Contact Registration Logic for Individuals
  • Case #3116 – Required Custom Fields not validating correctly when using API
  • Case #3360 – Resolved issue where one time promotions could be treated as recurring
  • Case #3360 – Disable Recur For input box when Recurring is disabled
  • Case #3361 – Fix time limited recurring promotions calculating incorrectly
  • Case #3388 – Fix Invalid Token Error when applying credit in Original and Portal Client Templates
  • Case #3414 – Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
  • Case #3617 – Do not CC password reset emails to sub-accounts
  • Case #3740 – ProtX VSP Form: Pass correct callback values to debug log
  • Case #3801 – Resolved PDF Quotes missing clients name/address
  • Case #3802 – Make a quantity of zero remove item from the cart
  • Case #3809 – Regular Expression Custom Field Validation failing on single quotes
  • Case #3811 – Resolve Invalid Token error when deleting recurring calendar entry
  • Case #3814 – Improvements to IPv6 detection and validation logic
  • Case #3862 – NameCheap Registrar: Fix incorrect function name call
  • Case #3864 – Echeck: Fix storage of bank account details
  • Case #3893 – Enom SSL Module: Fix Province is Required Error Message
  • Case #3922 – PayPal Express: Remove auto-login from Express Checkout Module
  • Case #3637 – Improve Access Controls in Project Management Addon
  • Case #3782 – Improve Access Controls in Tickets
  • Case #3783 – Improve Access Controls in Invoices
  • Case #3784 – Resolve Admin Area SQL Injection Vulnerability
  • Case #3839 – Resolve Potential XSS Vulnerability
  • Case #3841 – Resolve Potential XSS Vulnerability
  • Case #3842 – Resolve Potential XSS Vulnerability
  • Case #3843 – Resolve Potential XSS Vulnerability
  • Case #3846 – Improve Access Controls in Tickets
  • Case #3922 – PayPal Express Checkout Improve Validation
  • Case #3931 – Potential header injection via whois lookups
  • Case #3932 – Improve sanitization for whois query

Our latest expansion has been announced! Check out the Zero Rotation features page, Welcome to our Future!

Free expansions, always.

Screen Shot 2014-01-21 at 15.24.36


Check out my Raptr profile.

The website has been repurposed as the developer network of Squidwolf Syndicate. If you are looking for the Squidwolf Minecraft server then please Click Here.

Squidwolf Hosting

  • Dedicated Servers introduced as described in this Dev Blog.
    Features include:

    • Complete control via Web Administration Panel.
    • Able to upgrade server components without restarting or changing your server plan.
    • Able to add multiple administration levels.
    • Choose between Plesk (£3 a month) or cPanel (£20 a month).
    • Full Root Access.
    • Unlimited Bandwidth.
    • Dedicated 100Mb connection.
    • Hardware RAID.
    • Remote Server Reboot.
    • 1 x Dedicated (Free) IP Address.
    • Bandwidth graphs & reports.
    • Optional server back-up add-on (£10 a month per 10GB).
    • Dell & Intel hardware.
    • Free game server 1-click install options.


  • Links to other areas of Squidwolf have been added.

Squidwolf Insider

  • News, Announcements, and Patch Notes will no longer publish to
  • We have commissioned an artist to create emblems for Factions in Squidwolf Minecraft.
  • We have commissioned an artist to create insignias for the Ranks of Squidwolf Minecraft.
  • The Squidwolf Directory has been repurposed to hold links to websites using Squidwolf Hosting.
  • Content has been added to the Squidwolf Web Server page of the backstory.
  • A page has been created for SquidRooms on the backstory.
  • A page has been created for Squidwolf Web Proxy on the backstory.
  • A page has been created for Squidwolf Magazine on the backstory.
  • A page has been created for Squidwolf Social on the backstory.
  • A page has been created for Squidwolf Store on the backstory.
  • A page has been created for Squidwolf Web Design on the backstory.
  • A page has been created for Squidwolf Image Hosting on the backstory.
  • A page has been created for Squidwolf Cyberlocker on the backstory.
  • A page has been created for Petitions on the backstory.
  • A page has been created for Squidwolf Services Network on the backstory.
  • A page has been created for Squidwolf Domain Registry on the backstory.
  • A page has been created for Squidwolf Minecraft on the backstory.
  • A page has been created for Squidwolf Nest on the backstory.
  • A page has been created for Squidwolf Tech Support on the backstory.
  • A page has been created for Squidwolf Web FTP on the backstory.
  • A page has been created for COLOSSUS on the backstory.
  • A page has been created for Potion Forest on the backstory.
  • A page has been created for Account Management on the backstory.
  • Content has been added to Project: Hazel on the backstory.
  • Content has been added to Giraffe Branch on the backstory.
  • Content has been added to Studio 914 on the backstory.

Squidwolf Tower

  • Clarification on some challenges and achievements has been made.
  • Bugs in the activity feed have been fixed.
  • An achievement has been added for Zero Rotation.


  • We have repurposed the domain name for the Developer Network.
  • A temporary page has been placed on this domain name making it clear that this domain is NOT for Squidwolf Minecraft.

Account Management

The following security issues have been fixed:

  • Case #3785 – SQL Injection via Admin Credit Routines

The following issues have been resolved:

  • Case #3706 – Some graphs failing after recent Google Graph API Update
  • Case #3711 – CSV Export content should not contain HTML entities
  • Case #3726 – PDF Line Items failing to output some specific characters
  • Case #3727 – Admin password reset process failing to send new password email
  • Case #3738 – Sub-account password field’s default text must be removed on focus/click events
  • We have fixed the issue with our logo not appearing on automatically-generated invoices.


  • We are reconfiguring our support centre to separate Squidwolf Hosting from everything else.
  • will be taken down during the next patch to facilitate this transition.
  • Squidwolf Minecraft, Squidwolf Store, and Squidwolf Tower will use the existing ticketing system.
  • Squidwolf Hosting, Squidwolf Web Design, and Squidwolf Studios will use a support system integrated into Account Management.

Squidwolf Store

  • Several products which are no longer available have been removed from Squidwolf Store.


  • Packages have been reactivated and you can once again purchase in-game items.

Squidwolf Events

  • The January Announcement Keynote has been cancelled.

Latest Expansion

  • We are pleased to announce Zero Rotation, the latest free expansion from Squidwolf Syndicate.


Hello everyone, we are having a domain clear-out this year! We have a small number of domain names which are either no longer needed by us or from dormant, suspended, or otherwise abandoned user accounts. The valuations placed on these domain names is based on traffic. (£250 GBP) (Increasing to £500 from 11 February) (£500 GBP) Available from 1 February 2014
Note: This domain is still registered to one of our users. Despite our best efforts they have failed to reply to any of our attempts for the past six months. Their registration expires on the date shown. (£250 GBP) (Increasing to £500 from 11 February) (£5,000 GBP) (Increasing to £10,000 from 11 February) (£500 GBP) (Increasing to £1,000 from 11 February)

If you are interested in purchasing any of these assets then leave a comment below or send an email to

Hey guys! I thought I’d kick off the year 2014 with a fun blog about taking advantage of people’s tech ignorance when it comes to using IP printers, particularly those which are configured using a web interface and controlled using (default) admin credentials.

If you haven’t read the post CNN did about Shodan (scary search engine) which searches the deep web for fun things like SIP systems and IP-controlled devices then you should seriously give it a read. I was reading the article when I looked to my left and saw the delicious Kodak hero 7.1 network printer on the table next to my iMac and realised “there must be printers like these which have their own DNS entry or IP address”.Screen Shot 2014-01-12 at 00.04.47

Logically the next thing to think about is that almost all of these will be setup by people who are largely tech illiterate or sysadmins who aren’t doing their job properly. So I set about searching for printers as my curiosity gets the better of me…

Screen Shot 2014-01-12 at 00.05.38


I got a boatload of results but if you aren’t signed in then you can only view the first page. I’ve blocked out the DNS entries and IP addresses of the first “results” so I don’t get a lawsuit.

So I start clicking through the results and on the first hit I find a web-controlled HP Color LaserJet 3800.

Screen Shot 2014-01-12 at 00.12.35

The person who setup this printer did it correctly and didn’t leave the default admin password in place but there is still some information exposed such as the printer serial number and the firmware date code visible, I’ve blocked both of these out. The red box at the top of the page covers the device’s IP address.

I scrolled down the page and found this:

Screen Shot 2014-01-12 at 00.16.48


I’ve never heard of this make of printer before so I give it a click…

Screen Shot 2014-01-12 at 00.19.28


This is the front page for (what looks like an older model) Ricoh printer device. You’ll notice in the top left corner is a button which takes you to a login form.

Screen Shot 2014-01-12 at 00.22.04


Could it really be that simple?

Screen Shot 2014-01-12 at 00.23.24


Well shit! Naturally I HAVE to go clicking around to see what mischief (potentially) I can cause…

Screen Shot 2014-01-12 at 00.25.58


The information on the front page immediately available allows for the resetting of the device which can be pretty catastrophic in itself. I click into printer status and the controls and information available is pretty basic such as selecting printer cartridges and manipulating loader trays (you can change the language to really screw up someone’s day if you wanted to) but the control further down is the most interesting labelled “document server”. Clicking on that is the screen capture you see above, this printer isn’t being used as a file server but if it was then I’d have access to ALL of the documents inside the printer.

Screen Shot 2014-01-12 at 00.29.00


Clicking on Job > Printer > Job History brings up the next panel listing the latest print jobs sent to this printer along with the user, the date/time, where the job originates from and the file name. The file itself isn’t downloadable, I’ve blocked out the more sensitive information.

Screen Shot 2014-01-12 at 00.32.35

The screen capture above is for the Fax Machine on the printer. Viewable to the administrator is the date/time and destination of the fax as well as how the transmission turned out. I didn’t think Facsimile was still in use but clearly it is where in the world this printer is from. There is even a button to download the transmission list for the printer which would give a complete listing of all of the transmissions sent from this Fax (I didn’t download it before you ask).

The “Reception” option has the same controls but in reverse such as all Faxes received and the option to download a list of all received Faxes (but not the faxes themselves).

The “Address Book” actually seems to be the user directory for the Printer/Fax Machine. An Administrator can easily create a new user with full access privileges to the device. It is also possible to download then wipe the entire user directory. Each user entry contains personal information such as phone numbers and email addresses as well as where and when they last logged in.

The “Enquiry” contains information on the servicing of the device such as serial number and sales rep information.

Screen Shot 2014-01-12 at 00.40.01


The configuration panel is where it gets really interesting. As you can see there are a lot of configurable options as well as the security (lol). There is even the option to pull in information from an LDAP server. This particular printer doesn’t access an LDAP directory but if it did then I’d be able to copy the login credentials and gain complete access to a computer network’s LDAP directory of users, devices, documents, and other sensitive information.

The administrator of this machine hasn’t even entered his or her email address to get notifications when something is wrong with the machine! BAD FORM!

On closer inspection I realise that error reports aren’t being generated, auto logout isn’t configured, the printer hasn’t been cleaned since it was first setup, and the printhead alignment is completely screwed. Basically whoever set this thing up just took it out of its box, plugged it in, and turned it on!

To do the “good guy” thing I corrected all of the things above. If the admin had bothered to add his/her email to her contact card in the Address Book then I would have informed them of my discovery. Sadly, they haven’t.

A lookup of the IP address turned up no information so there is nothing else I can do from this point without sabotaging the machine, moving on…

Screen Shot 2014-01-12 at 00.49.14

I typed in the printer’s make to discover that there are thousands of these devices visible to the internet. Clicking on the first dozen reveals that most of them suffer from the same ill-management as the one I showed you above.

Screen Shot 2014-01-12 at 00.51.21


Yes it really is that simple to fuck with someone’s printer.

I opened up another administration panel and found that email addresses are actually visible in the Address Book of this particular printer. I copied one and pasted it into the search field on Facebook and found the owner. Now the question is “Do I inform this person of what I have found?” which could possibly save them a lot of heartache and upset in the future if a less friendly hacker should find it (I don’t even consider this hacking) or do I just turn a blind eye?

So I’ve decided that I AM going to be reporting this shit to the owners of the printers. I called up one company & she said to call back on monday to “talk to someone upstairs” I’m guessing they have no clue about this shit.

Vulnerable Printers Discovered

– 2 independent businesses in the USA (among a fuckton of others)
– University of Washington
– Southeast Missouri State University

YES! The NH fucking S! Not only that it is for “HR Pay Services” which means sensitive information is definitely being printed out on this device. I’ll definitely be getting in touch tomorrow about this.




As part of our “ease-of-use” initiative, we have been busy writing a boatload of documentation to help those who aren’t as tech-savvy as us at getting the most out of our lovely hosting service. The links below contain PDF documents (Opens in Preview on Mac OS X, you’ll need Adobe Acrobat Reader if you are on Windows) in regards to the various areas of Squidwolf Hosting, get reading!

Web Hosting Documentation

Control Panel Documentation

WordPress Documentation

Zero Rotation (our next big expansion) is almost upon us and it is time to fill you in on our next big service, dedicated servers! We are planning to release several different plans each with very attractive price points. Not only are they super great value but the monthly running cost decreases the longer you stay with us, isn’t that lovely!

Check out the pretty picture below to see what we are up to:

Screen Shot 2013-06-29 at 19.43.57


As you can see they are very well priced and one of them is named after me…whats your point?



Fixes and Improvements

Squidwolf Minecraft

  • The memory leak, most visible when detonating large amounts of TNT, has been plugged.
  • Our server no longer causes client crashes because of network traffic.
  • Character portraits are no longer randomly deleted in Squidwolf Tower.
  • Support no longer sends out emails twice.
  • Rank list has returned to
  • Multiple errors regarding permissions and ranks have been fixed.
  • Spleef has been completely removed from the server while we fix Faction conflict issues.
  • You can now use Squidwolf Support to request item reimbursements.

Squidwolf Mail

  • Further optimizations to the load balancer.

Squidwolf Hosting

  • Delayed domain transfers, renewals, and registrations have been resumed.

Squidwolf WiFi

  • We have strengthened our antennas and widened our channels in an attempt to block out and/or eliminate interference from nearby networks.