• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

[Gesior AAC] How to block NOOB hackers

Status
Not open for further replies.
Xampy

Xampy

PHP | SQL | LUA | C++
Joined
Jun 22, 2008
Messages
1,109
Reaction score
17
Hello!

Some days ago I saw a BIG BUG in Gesior's AAC. This bug allows you to know every password of every server that use Gesior's AAC.

I won't explain how to know the passwords of databases, I will tell you how to prevent hack attacks in your server:

MySQL Users

Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL.php. Go to line 96~ and:
change:
Code: 
        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.';
			exit;
	}
    }
And save the file.


SQLite Users

Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite.php. Go to line 54~ and:
change:
Code: 
        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.';
			exit;
	}
And save the file.



Regards.
 
Last edited by a moderator:
Year ago I noticed that while connecting to mysql database if login fails mysql password is displayed to the user, but Wrzasq told me that there is a way to stop it.
------------------------------------
I thought that it stops that error:
PHP: 
	//connect to MySQL database
	try
	{
		$ots->connect(POT::DB_MYSQL, array('host' => $mysqlhost, 'user' => $mysqluser, 'password' => $mysqlpass, 'database' => $mysqldatabase) );
	}
	catch(PDOException $error)
	{
	    echo 'Database error - can\'t connect to MySQL database. Possible reasons:<br>1. MySQL server is not running on host.<br>2. MySQL user, password, database or host isn\'t configured in: <b>'.$config['site']['server_path'].'config.lua</b> .<br>3. MySQL user, password, database or host is wrong.';
		exit;
	}
PM me the way to abuse it. Please do it fast, because I want post new version of acc. maker 0.3.x in few days (version for TFS 0.3.4 with many small bug fixes [guilds, spells, server status, characters page] and TFS 0.3.5 version with new death list script).
 
@Gesior.pl:
PM Sent.

@klekSu:
;)

@thread:
All who use this AAC, change your password to prevent hack, because someone can have your pass by this bug.
 
Xampy, i'm using TFS 0.2.3, MYSQL, and i enter in account manager, create account, when i say YES for created character, acc manager say, You character cannot be Saved, blá blá, why? can help... and cam u post script for execute in sql, i deleted my acc manager in my database, now i don't have more acc manager ;/
 
THX for info Xampy. How did you find this bug? Answer here or PM me if you think it's too important infomation (nobs shouldn't know how to hack not updated otses). I hope not when someone hacked your server..
--------
Option that let abuse this bug is not available in acc. maker for 0.2.x.
I'll fix this bug in acc. maker for 0.3, but it's really hard to abuse! New acc. maker for tfs 0.3.4 and 0.3.5 (beta/priv svn server) will be available 20.06.2009 (fix known bugs like this and add new features). All admins of big otses (50+ ? ) should wait for this update, because someone can try to hack your ots X minutes after update (with this bug). If you want e-mail/MSN [tell me if you are registered on MSN] info 1-5 minutes before update send me priv message on forum (i'll add you on msn or send you e-mail) now with your e-mail/msn and IP/address of server (only server with 50+ online will get info, not nob hackers [pro hackers can get info, pro hackers can find this bug withut my info :/ ]).
--------
Change from first post really protect you from attack (abuse of this bug) of hacker. If you host really big ots (100+) DO IT NOW (or wait for update, but better update .php file now)!
 
gesior.pl said:
thx for info xampy. How did you find this bug? Answer here or pm me if you think it's too important infomation (nobs shouldn't know how to hack not updated otses). I hope not when someone hacked your server..
--------
option that let abuse this bug is not available in acc. Maker for 0.2.x.
I'll fix this bug in acc. Maker for 0.3, but it's really hard to abuse! New acc. Maker for tfs 0.3.4 and 0.3.5 (beta/priv svn server) will be available 20.06.2009 (fix known bugs like this and add new features). All admins of big otses (50+ ? ) should wait for this update, because someone can try to hack your ots x minutes after update (with this bug). If you want e-mail/msn [tell me if you are registered on msn] info 1-5 minutes before update send me priv message on forum (i'll add you on msn or send you e-mail) now with your e-mail/msn and ip/address of server (only server with 50+ online will get info, not nob hackers [pro hackers can get info, pro hackers can find this bug withut my info :/ ]).
--------
change from first post really protect you from attack (abuse of this bug) of hacker. If you host really big ots (100+) do it now (or wait for update, but better update .php file now)!
Click to expand...


gief me the secret hak plz
 
Hahaha, everybody want to know how you can hack with this...
I won't post the method here, maybe by PM's to Admins that want to know how...

Thank you all.
 
yep it's rly simple to hack :eek: thx for this man it's very important to change this!
 
0.o !
I won't tell the way to "hack" until Gesior release the new AAC. Cos' many people still may have this bug.
 
The latest Unnamed AAC by Gesior ain't protected. The Unnamed AAC edited from Norix yes, it's protected.
 
Can someone tell me how do I protect my 2.2 version of Gesior acc maker please..
 
Status
Not open for further replies.
Back
Top