• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • 2026 staff recruitment is open! Check it out and consider applying!

MyAAC v1.0

im using the latest version oy Myacc.

For some reason I cant open Settings in admin panel?? It did work with older version tho
 
Reavap said:
im using the latest version oy Myacc.

For some reason I cant open Settings in admin panel?? It did work with older version tho
Click to expand...

What error do you get? Try enable in config.local.php:

$config['env'] = 'dev';
 
when i upload 'the canary theme' (12mb)
LUA: 
Request has been cancelled due to security reasons - token is invalid. Go back
 
TARCZYN said:
when i upload 'the canary theme' (12mb)
LUA: 
Request has been cancelled due to security reasons - token is invalid. Go back
Click to expand...

Thats because of PHP upload limits.

Here's some info:
stackoverflow.com

Change the maximum upload file size

I have a website hosted on a PC I have no access to. I have an upload form allowing people to upload mp3 files up to 30MB big. My server side script is done in PHP. Every time I try and upload a f...
stackoverflow.com stackoverflow.com

The hardest part might be locating the php.ini

If you tell me your OS (Operating System) and Webserver (Apache, xampp, nginx, etc.), then I can tell you where it is.
 
Ubuntu 20.04
Php 8.1
Apache2

LUA: 
upload_max_filesize = 200M
max_file_uploads = 200
 
TARCZYN said:
Ubuntu 20.04
Php 8.1
Apache2

LUA: 
upload_max_filesize = 200M
max_file_uploads = 200
Click to expand...

Then it should be somewhere inside of /etc/php/8.1/

Also remember to change this too:

post_max_size = 200M

Did it worked?
 
slaw said:
Then it should be somewhere inside of /etc/php/8.1/

Also remember to change this too:

post_max_size = 200M

Did it worked?
Click to expand...

Nie działa, max_size mam na 200Mb i 200 plików
Plik szablonu ma ~12mb + kilka plików
Mam wolny internet, ładuje się długo ale i tak finalnie wywala błąd z tokenem
Można ręcznie to jakoś wgrać? Albo masz jakiś inny pomysł
 
TARCZYN said:
Nie działa, max_size mam na 200Mb i 200 plików
Plik szablonu ma ~12mb + kilka plików
Mam wolny internet, ładuje się długo ale i tak finalnie wywala błąd z tokenem
Można ręcznie to jakoś wgrać? Albo masz jakiś inny pomysł
Click to expand...

You can use the command:

php aac plugin:install path_to_plugin.zip

where path_to_plugin if full path to the plugin zip file, like: /home/ots/myaac-theme-canary-v1.0.zip

Other than that - 1) which file did you edited?

2) Did you restart apache/nginx afterwards?
 
/etc/php/8.1/apache2/php.ini
Yes, i restarted a lot time...

LUA: 
root@v1753036545:~# php aac plugin:install /var/www/html/plugins/myaac-theme-canary-v1.1.1.zip
Could not open input file: aac
root@v1753036545:~#
 
TARCZYN said:
/etc/php/8.1/apache2/php.ini
Yes, i restarted a lot time...

LUA: 
root@v1753036545:~# php aac plugin:install /var/www/html/plugins/myaac-theme-canary-v1.1.1.zip
Could not open input file: aac
root@v1753036545:~#
Click to expand...

You need first enter: /var/www/html

cd /var/www/html
 
slaw said:
Password Strength
Click to expand...
Some sites for 'hackers' show message like "Your password is used by XX other accounts of that site" (compare hashes in database), which looks much more scary than some password strength analysis by algorithm.

For sure code that analyses password strength should be added to website (JS), but it should not block possibility to make account with "bad" password (PHP). Sometimes you just want to create account like gesior/gesior on random OTS to test something on www/OTS and acc. maker code should not block it. It should warn normal OTS users about their weak password.
Requirements like "1 letter" + "1 number" + "1 special character" to create account just make people use same "unique" password on multiple OTSes. Acc. maker should allow people to create account with password like 1. It's safer than forcing people to use 'strong password'.

If you plan to add tool like this into MyAAC, it should read something like weak_passwords.txt (plain text or hashes - auto detect OTS password format; or use MySQL table for this) and warn players who use these passwords, so OTS owners can warn players about weak password they use (passwords they used before on given OTS - probably also on other OTSes). Most of OTSes have multiple "editions" and owner can create own list of "used hashes" to warn players to use different password.
ex. You go "OTS 1" and set password gesior. Then you go "OTS 2" that says that your password is not strong, you set password gesior1. Then you use gesior1 on XX other OTSes - old acc. makers without weak_passwords.txt - and come back to new edition of "OTS 1" still using gesior1 as strong password. It's not strong anymore, XX other OTSes know it!
As MyAAC is only acc. maker that works with latest TFSes and canary (Gesior2012 and Znote - probably - are dead), you should consider security seriously. Your acc. maker security is security of 90% of OTSes now.

I worked for multiple big OTSes and they all get into trouble, because ~5% of top 1000 players get hacked and get reports from players like "OTS is hacked", but it wasn't OTS, it was just players accounts. Often hacked by other OTS owners, who used 'plain' encryption in database and scanned 40k+ "known" account-password pairs. You can reduce it by limiting wrong "logins" to OTS/www per IP per hour (it's already in OTS engine, but not on www), but attackers often use 1k+ IPs and scan slowly. On kasteria.pl I added big red warning on top of account registration site "Do not use same password as on other OTSes! They will try to hack your account!". It helped a lot, at least players planning to go 'top 100' used different passwords.

Also, few years ago there were hackers who promoted fake OTSes start on OTLand, otservlist etc. just to get account-email-password database. OTS never started, there was no OTS at all, just website that collected account-email-password in clear text to hack other OTSes accounts.

Some people messaged me - in last 10 years - on Discord with offers 100-1000$ to sell big OTSes login-password databases, even with MD5/SHA1 passwords (not plain text). They would crack password hashes and use it to scan all new popular OTSes to steal premium points/crystal coins and get a lot of $$$ selling it for RL money.
I don't care about this kind of offers, but some OTS owners - who had 200+ players on start and their OTS failed after X days online - may sell their databases to hackers.
 
Last edited:
Gesior.pl said:
Some sites for 'hackers' show message like "Your password is used by XX other accounts of that site" (compare hashes in database), which looks much more scary than some password strength analysis by algorithm.

For sure code that analyses password strength should be added to website (JS), but it should not block possibility to make account with "bad" password (PHP). Sometimes you just want to create account like gesior/gesior on random OTS to test something on www/OTS and acc. maker code should not block it. It should warn normal OTS users about their weak password.
Requirements like "1 letter" + "1 number" + "1 special character" to create account just make people use same "unique" password on multiple OTSes. Acc. maker should allow people to create account with password like 1. It's safer than forcing people to use 'strong password'.

If you plan to add tool like this into MyAAC, it should read something like weak_passwords.txt (plain text or hashes - auto detect OTS password format; or use MySQL table for this) and warn players who use these passwords, so OTS owners can warn players about weak password they use (passwords they used before on given OTS - probably also on other OTSes). Most of OTSes have multiple "editions" and owner can create own list of "used hashes" to warn players to use different password.
ex. You go "OTS 1" and set password gesior. Then you go "OTS 2" that says that your password is not strong, you set password gesior1. Then you use gesior1 on XX other OTSes - old acc. makers without weak_passwords.txt - and come back to new edition of "OTS 1" still using gesior1 as strong password. It's not strong anymore, XX other OTSes know it!
As MyAAC is only acc. maker that works with latest TFSes and canary (Gesior2012 and Znote - probably - are dead), you should consider security seriously. Your acc. maker security is security of 90% of OTSes now.

I worked for multiple big OTSes and they all get into trouble, because ~5% of top 1000 players get hacked and get reports from players like "OTS is hacked", but it wasn't OTS, it was just players accounts. Often hacked by other OTS owners, who used 'plain' encryption in database and scanned 40k+ "known" account-password pairs. You can reduce it by limiting wrong "logins" to OTS/www per IP per hour (it's already in OTS engine, but not on www), but attackers often use 1k+ IPs and scan slowly. On kasteria.pl I added big red warning on top of account registration site "Do not use same password as on other OTSes! They will try to hack your account!". It helped a lot, at least players planning to go 'top 100' used different passwords.

Also, few years ago there were hackers who promoted fake OTSes start on OTLand, otservlist etc. just to get account-email-password database. OTS never started, there was no OTS at all, just website that collected account-email-password in clear text to hack other OTSes accounts.

Some people messaged me - in last 10 years - on Discord with offers 100-1000$ to sell big OTSes login-password databases, even with MD5/SHA1 passwords (not plain text). They would crack password hashes and use it to scan all new popular OTSes to steal premium points/crystal coins and get a lot of $$$ selling it for RL money.
I don't care about this kind of offers, but some OTS owners - who had 200+ players on start and their OTS failed after X days online - may sell their databases to hackers.
Click to expand...

The script I use already use something like that - database of common passwords and words.

github.com

GitHub - bjeavons/zxcvbn-php: Realistic PHP password strength estimate library based on Zxcvbn JS

Realistic PHP password strength estimate library based on Zxcvbn JS - bjeavons/zxcvbn-php
github.com github.com

This is the library I use. Soon I will be able to share the code, as I will add it into MyAAC or plugins (depends on the questionnaire).

The limiting of fail login attempts is already there. After 5 failed attempts the IP is blocked. That is since very long time in MyAAC.

I will also allow weak passwords, will just show a warning that its unsafe, as you said.
 
seems like you are using composer and symfony why not using the symfony password rules? anyways good work with the plugin
 
StreamSide said:
seems like you are using composer and symfony why not using the symfony password rules? anyways good work with the plugin
Click to expand...

I didn't knew symfony had something like that, if I did then i would probably use it.

Now is too late, because the plugin is ready. There is no need to rewrite, but if you think the symfony is better, I am open to PRs :)
 
Always when use quicklogin/sidebar login
LUA: 
Request has been cancelled due to security reasons - token is invalid
Normal login work normal
 

Similar threads

slaw
[MyAAC][Plugin] Password strength
Replies
2
Views
566
slaw
slaw
Back
Top