:( gesior/znote AAC

[imback1]

Hello guys, There is something gonna make me crazy! I asked so many players about znote and gesior AAC and they told me that znote is perfect and gesior AAC isn't secure and when i tried to check ots' websites i found it gesior/modern AAC and i didn't see any server using znote AAC!! And gesior has more features than znote! may you tell me why please?! and what is the problem with gesior?
@Gesior.pl
@Znote

 

[HalfAway]

Znote AAC is still being updated, most secure and developed by Znote
I'm using Znote AAC myself and I'm recommending it to anyone who search for an AAC.

If you do compare Znote AAC and Gesior AAC, ZnoteAAC is better coded. (IMO)

 

[imback1]

Znote AAC is still being developed, secure and developed by Znote
I'm using Znote AAC myself and I'm recommending it to anyone who search for an AAC.

If you do compare Znote AAC and Gesior AAC, ZnoteAAC is better coded. (IMO)

But i need more features and i can't find any in Znote AAC but if you look at Gesior AAC you will find so many

 

[HalfAway]

But i need more features and i can't find any in Znote AAC but if you look at Gesior AAC you will find so many

What features do you need?

 

[imback1]

Here we go
powergamers
top fraggers
outfits of online players
flags of each player
TIBIA.COM LAYOUT
Items in profile
And there are so many features i can't remember them at the moment

 

[Tarek]

https://otland.net/threads/website-applications-sorted.165972/
Try to find something here

 

[imback1]

https://otland.net/threads/website-applications-sorted.165972/
Try to find something here

Tried many of them and they didn't work, I mean znote

 

[WibbenZ]

Tried many of them and they didn't work, I mean znote

Alot of users aren't that "up to date".
Short version: Gesior is just as safe.

Long version:
"Gesior" itself has ALOT of versions, the latest versions(that are uploaded to github) are safe.
Many people think all versions are safe, but the older versions has huge problems with SQL injections aswell as the image uploader etc.
The new one lacks a few things that the old one has, ex. the old news system(integrated to the forum now and loaded from database).
The admin panel(not like it was really used, you are better of writing your own admin panel imo)

As @HalfAway said Znote AAC is written in a nicer way, the main reason why Gesior AAC is so messy is because it fully supports the tibia.com layout.
I got a gesior 2012 version for 1.1 that I will be releasing when its ready, most of the code has been cleaned up, fully supports bootstrap insted of the ugly tibia.com layout etc.
I don't wanna say that gesior AAC has a "nice" code, its the other way around... But the main thing I like about it is that if you want something, ex. top fraggers etc you can download them from the forum.

Since gesior uses a function for the SQL connection you don't have to worry about SQL injections when it comes to old scripts, aslong as they use this function:

$sql->query("the query");

The main thing is that no one really has "worked" on gesior AAC except @Gesior.pl, there are alot of people who mainly just updated the database structure etc in the older versions.


If you want my honest opinion - its up to you. Either you go with Znote and either pay / wait to get the scripts / functions you want or you use Gesior and accept the ugly layout and get the scripts etc for free and simple to install.

 

[imback1]

Alot of users aren't that "up to date".
Short version: Gesior is just as safe.

Long version:
"Gesior" itself has ALOT of versions, the latest versions(that are uploaded to github) are safe.
Many people think all versions are safe, but the older versions has huge problems with SQL injections aswell as the image uploader etc.
The new one lacks a few things that the old one has, ex. the old news system(integrated to the forum now and loaded from database).
The admin panel(not like it was really used, you are better of writing your own admin panel imo)

As @HalfAway said Znote AAC is written in a nicer way, the main reason why Gesior AAC is so messy is because it fully supports the tibia.com layout.
I got a gesior 2012 version for 1.1 that I will be releasing when its ready, most of the code has been cleaned up, fully supports bootstrap insted of the ugly tibia.com layout etc.
I don't wanna say that gesior AAC has a "nice" code, its the other way around... But the main thing I like about it is that if you want something, ex. top fraggers etc you can download them from the forum.

Since gesior uses a function for the SQL connection you don't have to worry about SQL injections when it comes to old scripts, aslong as they use this function:

$sql->query("the query");

The main thing is that no one really has "worked" on gesior AAC except @Gesior.pl, there are alot of people who mainly just updated the database structure etc in the older versions.


If you want my honest opinion - its up to you. Either you go with Znote and either pay / wait to get the scripts / functions you want or you use Gesior and accept the ugly layout and get the scripts etc for free and simple to install.

Thanks for your reply, Actually I've downloaded Gesior AAC 2012 TFS 0.3.6 and i understood from your reply is that gesior isn't that bad with newest version and gesior fixed many issues with it and you don't like tibia.com layout but this is one of my reasons to use gesior is tibia layout .

 

[HalfAway]

Here we go
powergamers
top fraggers
outfits of online players
flags of each player
TIBIA.COM LAYOUT
Items in profile
And there are so many features i can't remember them at the moment

Everything you listed already exists for Znote AAC.

Power Gamers: https://github.com/Znote/ZnoteAAC/blob/master/powergamers.php
Powergamers already exists in ZnoteAAC by default..

Top Fraggers: https://github.com/Znote/ZnoteAAC/blob/master/killers.php
Already exists in Znote AAC by default.

Outfits for who is online: https://otland.net/threads/znote-aac-show-outfit-on-online-list.167194/

Flags for each player: https://otland.net/threads/znote-aac-flags-for-characterview-and-highscores.167053/

CipSoft Layout:
https://otland.net/threads/znote-aac-tibiacom-template.191625/
https://otland.net/threads/znote-aac-tibiacom-updated.193743/
https://otland.net/threads/znote-aac-tibiacom-by-luispro.205731/

Items in Profile:
https://otland.net/threads/znote-aac-characterprofile-eq-shower.210870/

 

[Chris]

Since gesior uses a function for the SQL connection you don't have to worry about SQL injections when it comes to old scripts, aslong as they use this function:

$sql->query("the query");

Granted, I don't really have any experience with @Gesior.pl's latest AAC, and thus don't really know whether the query method is a custom method that allows parameters to be passed through as arguments, and then used in a prepared statement or whatever. But regardless, the query method at its own isn't safe unless used properly. As an example, the following query uses the query method, yet is not safe from SQL injections.

$sql->query('SELECT * FROM players WHERE name = "'.$_GET['name'].'"');

Just thought I'd shed some light on the matter. I'm not saying Gesior's AAC isn't secure, but you should not consider all plugins using the query method to be secure.

 

[WibbenZ]

Granted, I don't really have any experience with @Gesior.pl's latest AAC, and thus don't really know whether the query method is a custom method that allows parameters to be passed through as arguments, and then used in a prepared statement or whatever. But regardless, the query method at its own isn't safe unless used properly. As an example, the following query uses the query method, yet is not safe from SQL injections.

$sql->query('SELECT * FROM players WHERE name = "'.$_GET['name'].'"');

Just thought I'd shed some light on the matter. I'm not saying Gesior's AAC isn't secure, but you should not consider all plugins using the query method to be secure.

Im not 100% sure either, but from what I understand one major problem with the old versions was the connection?
But what I know is that the clean version is secure, extremely hard to say that ALL the content you can download is safe. Most likely not haha..
So to be secure you should ofc look over the scripts, but id say that the major ones are safe.

The thing I wanted to get out is that the users that are saying Gesior is not safe. Both Gesior 2012 and Znote are secure.
Modern AAC (what I know) is also secure.

 

[Chris]

Security is a relative concept. What may be secure to one user, might not be secure at all for another. There will always be holes, whether it be SQL injections, XSS, CSRF or whatever else, the important part is that developers do their best to fix these holes upon discovery.

I was not trying to argue with you in any way, but rather enlighten you (or anyone else reading this for that matter) that solely relying on the query method for security might not be as foolproof as you may have thought.

My way of typing may appear demeaning, or argumentative at times, I'm sorry if that was the case.

 

[WibbenZ]

Security is a relative concept. What may be secure to one user, might not be secure at all for another. There will always be holes, whether it be SQL injections, XSS, CSRF or whatever else, the important part is that developers do their best to fix these holes upon discovery.

I was not trying to argue with you in any way, but rather enlighten you (or anyone else reading this for that matter) that solely relying on the query method for security might not be as foolproof as you may have thought.

My way of typing may appear demeaning, or argumentative at times, I'm sorry if that was the case.

Ofc, when a security bug is found it should be patched ASAP. But from what I know there are no in gesior 2012, the websites ive seen getting hacked have used that old paygol script.
Never said that if you use that query your are 100% safe

We should all learn from each other, otherwise you will just get stuck in a rut
I seem to get the same respons that people are not trying to argue with me, so its most likely me haha.

 

[Mark]

I wouldn't claim that either is secure since they haven't been audited by a security expert and last time I checked none of them were using good security practices for SQL (e.g. prepared statements, or ORM if that's your thing).

Last time I audited Znote AAC, it had multiple high severity vulnerabilities (see https://github.com/Znote/ZnoteAAC/pull/175), and the code was a mess to navigate.

 

[WibbenZ]

I wouldn't claim that either is secure since they haven't been audited by a security expert and last time I checked none of them were using good security practices for SQL (e.g. prepared statements, or ORM if that's your thing).

Last time I audited Znote AAC, it had multiple high severity vulnerabilities (see https://github.com/Znote/ZnoteAAC/pull/175), and the code was a mess to navigate.

Well I doubt that either Gesior or Znote would wanna hire? a security expert to check a website they give out for free.
There is most likely alot of things that could be changed to make it more secure, but still its just an OT server and a website we got for free.
But may I ask, how did you check those things? Would be a good practise to check the website using it.

And if you ask me its pretty "stupid" by the OT community to not stay with ONE AAC. Insted of creating (how many have we actually had)?
The one you created, Gesior, Znote, Modern AAC.
There are more then 4 diffrent ones, would be alot better if we had stayd with one AAC and expand it.

 

[Chris]

Competition is vital for any sort of growth in my eyes. Embrace the options rather than being limited to a sole contender.

 

[WibbenZ]

Competition is vital for any sort of growth in my eyes. Embrace the options rather than being limited to a sole contender.

Depends, at the same time there will be more users helping out to make it grow.
Just look at TFS, it has pretty much nothing to compete with but still get alot of attention.

 

[Chris]

It might not have any real contenders today, but go back in time and it has had plenty. In fact, TFS started out as one of the contenders. I can't speak for @Mark and whoever else contributed to the project, but I'd like to think that the competition brought motivation if nothing else. Having something to compare against, helps you realise what can be improved.

 

[Mark]

Well I doubt that either Gesior or Znote would wanna hire? a security expert to check a website they give out for free.
There is most likely alot of things that could be changed to make it more secure, but still its just an OT server and a website we got for free.
But may I ask, how did you check those things? Would be a good practise to check the website using it.

And if you ask me its pretty "stupid" by the OT community to not stay with ONE AAC. Insted of creating (how many have we actually had)?
The one you created, Gesior, Znote, Modern AAC.
There are more then 4 diffrent ones, would be alot better if we had stayd with one AAC and expand it.

I'm just saying you shouldn't claim that certain AAC's are more secure than others when neither have had any security audit of their most recent version. FWIW, I just used grep with certain patterns where I suspected there would be security issues, but grep just helps you narrow it down and you still need to know what to look for and follow the code paths through all possible branches (which is incredibly hard with Znote AAC) to know if it's actually vulnerable and of which severity it is.

In my opinion, of the AAC's I've looked at, DevAAC is the best option you have right now. The back-end is built as an API, so the front-end is easily replaceable if you're not fond of its layout or Angular. It's a shame that it doesn't have a lot of users.