• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Gesior2012 and MyAAC bug - release 2022-04-26 at 21:00 CET

Gesior.pl

Mega Noob&LOL 2012
Senator
Joined
Sep 18, 2007
Messages
2,951
Solutions
98
Reaction score
3,344
Location
Poland
GitHub
gesior
I've get report about bug in logic of Gesior2012 acc. maker. I've tested MyAAC and there is same bug.
Some guy is going from server to server, abuse that bug and asks for ~15$ for fix.

What is it?

Guild owner can move players from other guilds to his own by changing their 'rank'.
By abusing this bug, he can destroy wars. He can move all players from other guild, including owner of guild, which makes guild members list empty.

Why? I want all OTS owners to update their website at same time. Before some idiots start to abuse it to destroy OTSes.
If you know any OTS owner, give him link to this thread.

If I will find bug description on any forum before that date. I will release fix immediately.
'Watch' this thread, if you don't want to miss early fix release.

Can someone hack OTS files? No.
Can someone hack OTS database? No.
Can someone get access to admin/GM account? No.
Can someone destroy game/waste time of some players? Yes.

I've contacted slawkens. He cannot be online at that date, so I will release fixes for Gesior2012 and MyAAC.


FIX

Gesior2012

Edit pages/guilds.php. Find ( Gesior2012/guilds.php at master · gesior/Gesior2012 (https://github.com/gesior/Gesior2012/blob/master/pages/guilds.php#L343) ):
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName())

MyAAC

Edit system/pages/guilds/change_rank.php. Find ( myaac/change_rank.php at master · otsoft/myaac (https://github.com/otsoft/myaac/blob/master/system/pages/guilds/change_rank.php#L89) ):
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName())
 
Last edited:
Bug: Guild owner can move players from other guilds to his own by changing their 'rank'.
By abusing this bug, he can destroy wars. He can move all players from other guild, including owner of guild, which makes guild members list empty.

FIX

Gesior2012

Edit pages/guilds.php. Find ( Gesior2012/guilds.php at master · gesior/Gesior2012 (https://github.com/gesior/Gesior2012/blob/master/pages/guilds.php#L343) ):
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName())

MyAAC

Edit system/pages/guilds/change_rank.php. Find ( myaac/change_rank.php at master · otsoft/myaac (https://github.com/otsoft/myaac/blob/master/system/pages/guilds/change_rank.php#L89) ):
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName())
 
Bug: Guild owner can move players from other guilds to his own by changing their 'rank'.
By abusing this bug, he can destroy wars. He can move all players from other guild, including owner of guild, which makes guild members list empty.

FIX

Gesior2012

Edit pages/guilds.php. Find ( Gesior2012/guilds.php at master · gesior/Gesior2012 (https://github.com/gesior/Gesior2012/blob/master/pages/guilds.php#L343) ):
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName())

MyAAC

Edit system/pages/guilds/change_rank.php. Find ( myaac/change_rank.php at master · otsoft/myaac (https://github.com/otsoft/myaac/blob/master/system/pages/guilds/change_rank.php#L89) ):
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName())
Just in time, you're amazing, thanks Gesior!
 
Bug: Guild owner can move players from other guilds to his own by changing their 'rank'.
By abusing this bug, he can destroy wars. He can move all players from other guild, including owner of guild, which makes guild members list empty.

FIX

Gesior2012

Edit pages/guilds.php. Find ( Gesior2012/guilds.php at master · gesior/Gesior2012 (https://github.com/gesior/Gesior2012/blob/master/pages/guilds.php#L343) ):
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName())

MyAAC

Edit system/pages/guilds/change_rank.php. Find ( myaac/change_rank.php at master · otsoft/myaac (https://github.com/otsoft/myaac/blob/master/system/pages/guilds/change_rank.php#L89) ):
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName())
Thank you :D i love you
 
Bug: Guild owner can move players from other guilds to his own by changing their 'rank'.
By abusing this bug, he can destroy wars. He can move all players from other guild, including owner of guild, which makes guild members list empty.

FIX

Gesior2012

Edit pages/guilds.php. Find ( Gesior2012/guilds.php at master · gesior/Gesior2012 (https://github.com/gesior/Gesior2012/blob/master/pages/guilds.php#L343) ):
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() == $player_to_change->getRank()->getGuild()->getName())

MyAAC

Edit system/pages/guilds/change_rank.php. Find ( myaac/change_rank.php at master · otsoft/myaac (https://github.com/otsoft/myaac/blob/master/system/pages/guilds/change_rank.php#L89) ):
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName() || $guild_leader)
Replace with:
PHP:
if($guild->getName() === $player_to_change->getRank()->getGuild()->getName())
Thank you!
 
This bug is in acc. maker since 12 March 2008:

14 years to find simple security bug :confused:
 
This bug is in acc. maker since 12 March 2008:

14 years to find simple security bug :confused:
It's rather 14 years to discover, not to find, unless you were looking for it that whole time.
 
gesior proofed through the years to be one of the most people who cares about the community, thanks man and keep it up :)
 
It's rather 14 years to discover, not to find, unless you were looking for it that whole time.
I did not review code logic after 2012 release, but a lot of hackers did.
There were many hacks of servers that used some 'custom gesior2012' with bugged scripts. Someone had to find all these bugs.
 
Back
Top