GESIOR 2012 - Version 1.0.1 for 0.2.x, 0.3.6 and all 0.4

[povedijah]

error?

CAN create this monster xDD
Gesior : how i can put, player no contain in name ( - , ',",Etc¿ ) i need remove this ..

 

[Fredzor]

-snip-

 

[fortyy150]

for me worst gesior

 

[Gesior.pl]

for me worst gesior

Why? Do you like to hack otses with bugged 'gesior'?

 

[povedijah]

Gesior check my lasted post pleased.

 

[fortyy150]

no this gesior havent admin panel and very much functions :s

 

[Xavicrak]

I Was using Gesior 2012+Uniform server.

10 minutes ago, some player loged on my ot.
07:34 Adivinaa [8]: I have a nice bug on your website
07:34 Adivinaa [8]: folder classes
07:34 Adivinaa [8]: I have infinite premium points.
07:34 Adivinaa [8]: pay me 30€ or i will close your ot.
07:34 Adivinaa [8]: okay, as you like, check now the accounts, All have 9999999 premium points.

wtf??

 

[Gesior.pl]

I Was using Gesior 2012+Uniform server.

10 minutes ago, some player loged on my ot.
07:34 Adivinaa [8]: I have a nice bug on your website
07:34 Adivinaa [8]: folder classes
07:34 Adivinaa [8]: I have infinite premium points.
07:34 Adivinaa [8]: pay me 30€ or i will close your ot.
07:34 Adivinaa [8]: okay, as you like, check now the accounts, All have 9999999 premium points.

wtf??

1. Give link to your ots site + what version of acc. maker do you use, what TFS distro.
2. Never trust hackers, if you find bug in buypoints.php and want from hoster 30 euro you tell him that bug is in buypoints.php or in classes?
EDIT:
3. Never negotiate with terrorists.

Do you host on windows? I can try to hack database of your OTS with some scripts.
I know problems in acc. maker that can let someone hack database/DDoS OTS if it's hosted on bad configured web server + bad configured mysql (= XAMPP or other easy-to-run windows packet), but acc. maker can't be responsible for stupidity of hosters.

EDIT 2:
Codes in acc. maker that 'edit' number of points:
---------------------
folder 'classes' - NONE, hmm.. no comment.
---------------------
config/config.php

$config['site']['generate_new_reckey_price'] = XXX

(value under 0 adds points!)
---------------------
pages/buypoints.php

$account->set('premium_points', ($account->getCustomField('premium_points')+$number_of_points));

(gives points after you enter code from SMS [system Dotpay.pl])
---------------------
pages/zaypay_report.php

$account->set('premium_points', ($account->getCustomField('premium_points')+$number_of_points));

(gives points after report of valid payment from zaypay.com)
---------------------
pages/shopsystem.php

$account_logged->setCustomField('premium_points', $user_premium_points-$buy_offer['points']);
...
$account_logged->setCustomField('premium_points', $user_premium_points-$buy_offer['points']);

(removes points after you buy item or container, if price for item is below 0 it GIVES points)
---------------------
paypal_report.php

$account->setPremiumPoints($account->getPremiumPoints() + $pay['premium_points']);

(add points after report from paypal.com IPN system)
---------------------

If someone can manipulate 'all' accounts at once, it means that he found something that I did not find in last years or he just use phpmyadmin/connect from remote PC to database (host mysql on localhost only!!! not global IP!)

EDIT 3:
If you have access.log of www server. Send it to me. I will analyse it and try to find what did 'hacker'.

 

[Nottinghster]

@Gesior.pl

I've started a project to make your website compatible with old school Servers (Avesta), everythin' oks ??

 

[Xavicrak]

1. Give link to your ots site + what version of acc. maker do you use, what TFS distro.
2. Never trust hackers, if you find bug in buypoints.php and want from hoster 30 euro you tell him that bug is in buypoints.php or in classes?
EDIT:
3. Never negotiate with terrorists.

Do you host on windows? I can try to hack database of your OTS with some scripts.
I know problems in acc. maker that can let someone hack database/DDoS OTS if it's hosted on bad configured web server + bad configured mysql (= XAMPP or other easy-to-run windows packet), but acc. maker can't be responsible for stupidity of hosters.

EDIT 2:
Codes in acc. maker that 'edit' number of points:
---------------------
folder 'classes' - NONE, hmm.. no comment.
---------------------
config/config.php

$config['site']['generate_new_reckey_price'] = XXX

(value under 0 adds points!)
---------------------
pages/buypoints.php

$account->set('premium_points', ($account->getCustomField('premium_points')+$number_of_points));

(gives points after you enter code from SMS [system Dotpay.pl])
---------------------
pages/zaypay_report.php

$account->set('premium_points', ($account->getCustomField('premium_points')+$number_of_points));

(gives points after report of valid payment from zaypay.com)
---------------------
pages/shopsystem.php

$account_logged->setCustomField('premium_points', $user_premium_points-$buy_offer['points']);
...
$account_logged->setCustomField('premium_points', $user_premium_points-$buy_offer['points']);

(removes points after you buy item or container, if price for item is below 0 it GIVES points)
---------------------
paypal_report.php

$account->setPremiumPoints($account->getPremiumPoints() + $pay['premium_points']);

(add points after report from paypal.com IPN system)
---------------------

If someone can manipulate 'all' accounts at once, it means that he found something that I did not find in last years or he just use phpmyadmin/connect from remote PC to database (host mysql on localhost only!!! not global IP!)

EDIT 3:
If you have access.log of www server. Send it to me. I will analyse it and try to find what did 'hacker'.

I will send you a private msg

 

[Gesior.pl]

I will send you a private msg

Sorry, but it made me soooo angry.
UNINSTALL
YOUR
FUCKING
contenidopago.com
SYSTEM
Buypoint - Farlia

part of sms.php file you added to acc. maker:

$name=$_GET['name'];
...
$sql = "UPDATE accounts SET premium_points = premium_points + $puntos WHERE name = '$name'";

What will happen if you type valid SMS code on Buypoint - Farlia and in place of account name: Gesior' OR 1 = 1 OR `name` = 'Hax
give points to all accounts? really?

I did public that acc. maker, because I wanted to stop listening about hax of OTSes and my acc. maker and what you did? YOU INSTALLED SCRIPT MADE BY SOME IDIOT!

EDIT:
Replace sms.php code with:

<?php
error_reporting (1);
include('sms_conf.php');

$dbc = mysql_connect($host,$user,$pass) or die("DB conection error");
mysql_select_db($db,$dbc);

$name=$_GET['name'];
$codigo=$_POST['codigo'];

if(isset($_POST['formcodigo']))
{
	$name=$_POST['name'];
	$QueryString  = "LinkUrl=".urlencode((($_SERVER['HTTPS']=='on')?'https://':'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
	$QueryString .= "&codigo=" .urlencode($codigo);
	$QueryString .= "&idservicio=" .$idservicio;
	if(intval(get_cfg_var('allow_url_fopen')) && function_exists('file_get_contents'))
	{
		$result=@file_get_contents("http://contenidopago.com/codigoval.php?".$QueryString); 
	}
	elseif(intval(get_cfg_var('allow_url_fopen')) && function_exists('file'))
	{
		if($content = @file("http://contenidopago.com/codigoval.php?".$QueryString)) 
		  $result=@join('', $content);
	}
	else
	{
		print "It appears that your web host has disabled all functions for handling remote pages and as a result the BackLinks software will not function on your web page. Please contact your web host for more information.";
	}

	if ($result=='ok')
	{
		$dbc = mysql_connect($host,$user,$pass) or die("DB conection error");
		mysql_select_db($db,$dbc);

		if(!(empty($name)))
		{
			$sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
			$res = mysql_query($sql,$dbc);
			if(mysql_affected_rows() == 0)
			{
				die('This username does not exist: <font color="blue">'.htmlspecialchars($name).'</font>');	
			}
			die("Codigo : $codigo  ok , Points added to your account");	
		}
		else
		{
			die('You did not set the user!');
		}
	}
	if ($result=='no')
	{
		die ('This code is already in used');
	}

}

$puntos = (int) $_GET['puntos'];

$hf = fopen('http://www.contenidopago.com/validate.php',r);
$line = fgets($hf);
$restringidas = explode('|',$line);


$ip=$_SERVER['REMOTE_ADDR'];

if(!in_array($ip,$restringidas))
	die("You are not able to use this system!");


if($_GET['check']==1)
{
	if($name!='')
	{
		$sql="SELECT * FROM `accounts` WHERE `name`='" . mysql_real_escape_string($name) . "'";
		$result=mysql_query($sql);
		if (mysql_num_rows($result) == 0 )
	 	{
			die ("No existe el usuario " . htmlspecialchars($name));
		} 
		else 
		{
			die('ok');	
		}
	}
}


if($_GET['paypal']==0)
{
	
	if(!(empty($name)))
	{
    	$sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
    	$res = mysql_query($sql,$dbc);
   		if(mysql_affected_rows() == 0)
        	die('This username does not exist: '.$name.'');
	}
	else
    	die('You did not set the user!');
	
	die ('ok');
	
	}


if(!(empty($name)))
{
    $sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
    $res = mysql_query($sql,$dbc);
   	if(mysql_affected_rows() == 0)
       	die('This username does not exist: '. htmlspecialchars($name));
}
else
    die('You did not set the user!');
	
die ('ok');

?>

and your page will be safe.

 

[Xavicrak]

Sorry, but it made me soooo angry.
UNINSTALL
YOUR
FUCKING
contenidopago.com
SYSTEM
Buypoint - Farlia

part of sms.php file you added to acc. maker:

$name=$_GET['name'];
...
$sql = "UPDATE accounts SET premium_points = premium_points + $puntos WHERE name = '$name'";

What will happen if you type valid SMS code on Buypoint - Farlia and in place of account name: Gesior' OR 1 = 1 OR `name` = 'Hax
give points to all accounts? really?

I did public that acc. maker, because I wanted to stop listening about hax of OTSes and my acc. maker and what you did? YOU INSTALLED SCRIPT MADE BY SOME IDIOT!

EDIT:
Replace sms.php code with:

<?php
error_reporting (1);
include('sms_conf.php');

$dbc = mysql_connect($host,$user,$pass) or die("DB conection error");
mysql_select_db($db,$dbc);

$name=$_GET['name'];
$codigo=$_POST['codigo'];

if(isset($_POST['formcodigo']))
{
	$name=$_POST['name'];
	$QueryString  = "LinkUrl=".urlencode((($_SERVER['HTTPS']=='on')?'https://':'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
	$QueryString .= "&codigo=" .urlencode($codigo);
	$QueryString .= "&idservicio=" .$idservicio;
	if(intval(get_cfg_var('allow_url_fopen')) && function_exists('file_get_contents'))
	{
		$result=@file_get_contents("http://contenidopago.com/codigoval.php?".$QueryString); 
	}
	elseif(intval(get_cfg_var('allow_url_fopen')) && function_exists('file'))
	{
		if($content = @file("http://contenidopago.com/codigoval.php?".$QueryString)) 
		  $result=@join('', $content);
	}
	else
	{
		print "It appears that your web host has disabled all functions for handling remote pages and as a result the BackLinks software will not function on your web page. Please contact your web host for more information.";
	}

	if ($result=='ok')
	{
		$dbc = mysql_connect($host,$user,$pass) or die("DB conection error");
		mysql_select_db($db,$dbc);

		if(!(empty($name)))
		{
			$sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
			$res = mysql_query($sql,$dbc);
			if(mysql_affected_rows() == 0)
			{
				die('This username does not exist: <font color="blue">'.htmlspecialchars($name).'</font>');	
			}
			die("Codigo : $codigo  ok , Points added to your account");	
		}
		else
		{
			die('You did not set the user!');
		}
	}
	if ($result=='no')
	{
		die ('This code is already in used');
	}

}

$puntos = (int) $_GET['puntos'];

$hf = fopen('http://www.contenidopago.com/validate.php',r);
$line = fgets($hf);
$restringidas = explode('|',$line);


$ip=$_SERVER['REMOTE_ADDR'];

if(!in_array($ip,$restringidas))
	die("You are not able to use this system!");


if($_GET['check']==1)
{
	if($name!='')
	{
		$sql="SELECT * FROM `accounts` WHERE `name`='" . mysql_real_escape_string($name) . "'";
		$result=mysql_query($sql);
		if (mysql_num_rows($result) == 0 )
	 	{
			die ("No existe el usuario " . htmlspecialchars($name));
		} 
		else 
		{
			die('ok');	
		}
	}
}


if($_GET['paypal']==0)
{
	
	if(!(empty($name)))
	{
    	$sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
    	$res = mysql_query($sql,$dbc);
   		if(mysql_affected_rows() == 0)
        	die('This username does not exist: '.$name.'');
	}
	else
    	die('You did not set the user!');
	
	die ('ok');
	
	}


if(!(empty($name)))
{
    $sql = "UPDATE `accounts` SET `premium_points` = `premium_points` + $puntos WHERE `name` = '" . mysql_real_escape_string($name) . "'";
    $res = mysql_query($sql,$dbc);
   	if(mysql_affected_rows() == 0)
       	die('This username does not exist: '. htmlspecialchars($name));
}
else
    die('You did not set the user!');
	
die ('ok');

?>

and your page will be safe.

Sorry, i had install the script from contenidopago.com :S

Now i had install, the last version of your acc. can you check it?

Thanks

 

[Gesior.pl]

You can use old script if it's somehow better. Just replace sms.php code to code from my post.

That hacker hacked 3 [3 guys PMed me with same problem and same IP of hacker] or more OTSes that used code from contenidopago.com

 

[povedijah]

No can added all this names of monster in invalid names..

Help pleased gesior, i need bloked names of monster in my ot.
And i need too bloking players " ' " ; "-" etc names.. where I can edit.

 

[Gesior.pl]

In files:
/ajax_check_name.php - it just shows if name is valid/not valid
/system/load.compat.php - function in that file blocks script that create character if name is invalid, so it's more important
are arrays:

$names_blocked = array('gm','cm', 'god', 'tutor');

add in both files names that you want block (lowercase), for example:

$names_blocked = array('gm','cm', 'god', 'tutor', 'dragon lord', 'orc warlord');

EDIT:
In both files are also lines:

$temp = strspn("$name", "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM- '");

Change it in both files to:

$temp = strspn("$name", "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM ");

then it will be not possible to make character with - or ' in name.

 

[Elexonic]

Gesio can fix your script of war system, when guild accept war system two guils have same logo.
Script olds don`t work for my.

 

[contenidopago]

Hi !

This bug is more than three years ago, if you use the latest version of "sms.php" is totally safe.

We provide integration for micro payments,you cah use any script to manage it, if you use the pre-created one is important to use the latest version.

Regards,,,

 

[Printer]

Hi !

This bug is more than three years ago, if you use the latest version of "sms.php" is totally safe.

We provide integration for micro payments,you cah use any script to manage it, if you use the pre-created one is important to use the latest version.

Regards,,,

The one made by gesior or the other one your site.

 

[Gesior.pl]

Hi !

This bug is more than three years ago, if you use the latest version of "sms.php" is totally safe.

We provide integration for micro payments,you cah use any script to manage it, if you use the pre-created one is important to use the latest version.

Regards,,,

Do not lie!
I downloaded all integrations (gesior and modern) from:
Contenidodepago - Soluciones de calidad en SMS
and (gesior 0.3.6 + your script):
Contenidodepago - Soluciones de calidad en SMS

and all .zip and .rar packs got same bugged sms.php file [SQL injections and XSS attacks possible] that let everyone add points to all accounts on OTS if they have one valid SMS code.

I'm pretty sure that it's possible to add points few times with one code from SMS if you send many HTTP requests 'in same time'.

I got access.log from one popular american OTS and he has problem with hacker. Yesterday he had problem, because guy added points to all accounts by sms.php.
I sent him fixed version of sms.php ( http://otland.net/f118/gesior-2012-...3-6-all-0-4-a-176677/index14.html#post1759877 ), but today hacker came back and again add points to account (only his) by sms.php. Only possibility is that he 'somehow' get free SMS codes. Now my friend changed your integration to default 'Gesior 2012' integration + 1 fix and we will see if it will be OK now.

 

[Ayhan589]

Strict Standards: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Helsinki' for '2.0/no DST' instead in C:\xampp\htdocs\classes\account.php on line 147

Strict Standards: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Helsinki' for '2.0/no DST' instead in C:\xampp\htdocs\pages\accountmanagement.php on line 60

Strict Standards: date() [function.date]: It is not safe to rely on the system's timezone settings. Please use the date.timezone setting, the TZ environment variable or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Helsinki' for '2.0/no DST' instead in C:\xampp\htdocs\pages\accountmanagement.php on line 60

Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in C:\xampp\htdocs\classes\databaselist.php on line 105


anyone help me about this error?