WARNING
There are a few common exploits found in all versions of Gesior AAC. When it was created solely by Gesior I think there was probably only one bug, which concerns guild images. I do not think Gesior intentionally created an exploit, but Liugarneth (also known as Widnet), a member of the new "Gesior AAC team" has created an exploit intentionally. I talked to somebody (who is now a very good friend of mine) and he told me where the exploits were. So the credits go to him, and not me. Although he wishes to remain anonymous.
I did not find these exploits. I am only telling you where they are and how to fix them!
Without further adieu:
in guilds.php:
Replace:
With this:
This will remove "/", "\" and ".." from the guild_logo name. Now it should be impossible to hack gesiors AAC through guilds.php this way.
Credits to stian for the idea. And to Mazen for posting it Here!
Now on for the next step:
houses.php
I suggest removing this completely, I have not been able to check the new resources for Gesior AAC 0.3.6 but I was told that this file has the ability to allow a user to view your config.lua using HTML. - Thus, letting people into your PMA.
latestnews.php
I suggest removing your news ticker, there is an exploit that allows users to create an account and write their own news. As you think this may not be dire, with the correct script, they could disable people from viewing your website, and redirecting it to theirs. If somebody knows how to patch this, I'd love to post it besides just "Delete it". But I guess I will just write this because my tutorial is more for awareness and pointing out all Gesior exploits, intentional or not. Thank you.
These are the only known-exploits for Gesior AAC. guilds.php affects ALL users, and I'm pretty sure houses.php is the new backdoor created for the "Gesior AAC Team" to access servers. To be 100% secure, I suggest removing houses and doing what I said for guilds.
If you know of any other Gesior exploits, and would like me to post how to prevent it/patch it please PM me, this is your warning!
Have fun & good luck!
Red
There are a few common exploits found in all versions of Gesior AAC. When it was created solely by Gesior I think there was probably only one bug, which concerns guild images. I do not think Gesior intentionally created an exploit, but Liugarneth (also known as Widnet), a member of the new "Gesior AAC team" has created an exploit intentionally. I talked to somebody (who is now a very good friend of mine) and he told me where the exploits were. So the credits go to him, and not me. Although he wishes to remain anonymous.
I did not find these exploits. I am only telling you where they are and how to fix them!
Without further adieu:
in guilds.php:
Replace:
PHP:
$guild_logo = $guild->getCustomField('logo_gfx_name'); if(empty($guild_logo) || !file_exists("guilds/".$guild_logo)) $guild_logo = "default_logo.gif";
With this:
PHP:
foreach (array("/", "\\", "..") as $char) {
$guild_logo = str_replace($char, "", $guild->getCustomField('logo_gfx_name'));
}
if (empty($guild_logo) || !file_exists("guilds/".$guild_logo)) {
$guild_logo = "default_logo.gif";
}
This will remove "/", "\" and ".." from the guild_logo name. Now it should be impossible to hack gesiors AAC through guilds.php this way.
Credits to stian for the idea. And to Mazen for posting it Here!
Now on for the next step:
houses.php
I suggest removing this completely, I have not been able to check the new resources for Gesior AAC 0.3.6 but I was told that this file has the ability to allow a user to view your config.lua using HTML. - Thus, letting people into your PMA.
latestnews.php
I suggest removing your news ticker, there is an exploit that allows users to create an account and write their own news. As you think this may not be dire, with the correct script, they could disable people from viewing your website, and redirecting it to theirs. If somebody knows how to patch this, I'd love to post it besides just "Delete it". But I guess I will just write this because my tutorial is more for awareness and pointing out all Gesior exploits, intentional or not. Thank you.
These are the only known-exploits for Gesior AAC. guilds.php affects ALL users, and I'm pretty sure houses.php is the new backdoor created for the "Gesior AAC Team" to access servers. To be 100% secure, I suggest removing houses and doing what I said for guilds.
If you know of any other Gesior exploits, and would like me to post how to prevent it/patch it please PM me, this is your warning!
Have fun & good luck!
Red
Last edited: