kito2
www.masteria.net
I saw the updates on the latest revs (243--) but they are still useless, I got hacked before the update and now after the update... What is going on?
Hacking on modern...
- Thread starter kito2
- Start date
OP
OP
kito2
www.masteria.net
They create god accounts, god characters, create news at website... wtf?
Diazapam
!ROFLMAO!
Maybe they hacked you before the update and somewhere made themselfs an account already?
That doesn't mean the new update doesn't fix it.
That doesn't mean the new update doesn't fix it.
OP
OP
kito2
www.masteria.net
The hole/exploit I mean, I deleted all accounts with a higher group_id and also the players, updated to latest rev, and now they keep hacking.
Diazapam
!ROFLMAO!
Did you check for extra users in you mysql?
OP
OP
kito2
www.masteria.net
Oh yeah, and nothing wrong there...
Nostradamus
Member
- Joined
- Jun 2, 2007
- Messages
- 219
- Reaction score
- 6
kito2,
I have finished a security check on ModernAAC some days ago (after my friend got hacked) and i see that you are right: ModernAAC still got tons of security holes. That bug in the rev 243 is a simple SQL injection since Code Igniter shows the error messages, but there are more. You'll have to choose:
1) go to Gesior (people are saying that Gesior has problems, but some guys released a 'safe' version, which i can't say if it is safe right now)
2) wait for ModernAAC (by PAXTON, stian, Znote), OTAAC (by me) release or even PANDAAAC (by Chris). Since you can't wait, you can help on development of those AACs by donating to the developers which is making it for free
3) continue with ModernAAC and see what happens
I have finished a security check on ModernAAC some days ago (after my friend got hacked) and i see that you are right: ModernAAC still got tons of security holes. That bug in the rev 243 is a simple SQL injection since Code Igniter shows the error messages, but there are more. You'll have to choose:
1) go to Gesior (people are saying that Gesior has problems, but some guys released a 'safe' version, which i can't say if it is safe right now)
2) wait for ModernAAC (by PAXTON, stian, Znote), OTAAC (by me) release or even PANDAAAC (by Chris). Since you can't wait, you can help on development of those AACs by donating to the developers which is making it for free
3) continue with ModernAAC and see what happens
Paxton
Banned User
I fucking left for a while and see what happens for fuck sake
RealSoft
Banned User
lol to everyone that EXPECT modern/gesior to be safe..
Make you own fucking site if you want to be safe, don't expect to get a FREE page and it will be safe.... never expect that!...
Make you own fucking site if you want to be safe, don't expect to get a FREE page and it will be safe.... never expect that!...
Don't delete by group_id, but access. If you want a permanent fix then just remove the shuffolding from controllers/admin.php if you don't need it (people with phpmyadmin don't really need it).
Latest released version is 1.0.1 based on rev 190, and it's NOT affected by this bug. It just tell you that latest development rev is insecure, and thats rather common. Don't use SVN versions if you want security and stability.
Remove page_access from your GOD account, this will solve the problem.
The hacker only got access to your god account on website. Without knowing your username and password. So only because he can login to website, dosnt mean he can login in-game.
He logs into your admin panel, and by Scaffolding, he manages your database. He makes his own char group id 6 and logs in do whatever he want.
Also search for page_access 5. Because the hacker might have been giving his own account page access 5, making him able to go on admin panel do whatever he wants on your database, without being a gm or have a gm account.
Btw, 2 days ago (i think) i made a god char on your server and attempted to close it to avoid other hackers fucking it up. However I havent done anything to you else than that. I havent harmed your database. I broadcasted to players that they should get in contact with you so you could update the server.
(With the character: The Dude) I think.
Removing Scaffolding will still give the hacker access to latest news, post vulnerable php scripts etc.
The best way would be for now to just set page_access to 1 from database. And give your acc page access 5 when making new news and stuff, and then remove it.
The hacker only got access to your god account on website. Without knowing your username and password. So only because he can login to website, dosnt mean he can login in-game.
He logs into your admin panel, and by Scaffolding, he manages your database. He makes his own char group id 6 and logs in do whatever he want.
Also search for page_access 5. Because the hacker might have been giving his own account page access 5, making him able to go on admin panel do whatever he wants on your database, without being a gm or have a gm account.
Btw, 2 days ago (i think) i made a god char on your server and attempted to close it to avoid other hackers fucking it up. However I havent done anything to you else than that. I havent harmed your database. I broadcasted to players that they should get in contact with you so you could update the server.
(With the character: The Dude) I think.
Removing Scaffolding will still give the hacker access to latest news, post vulnerable php scripts etc.
The best way would be for now to just set page_access to 1 from database. And give your acc page access 5 when making new news and stuff, and then remove it.
Last edited:
Here is the "flow" he used:
Pre-update:
Hack your God, make new char with scaffolding with page_access
Post-update:
Login with his page_access char and use scaffolding.
UPDATE accounts SET page_access = 0 WHERE page_access > 0;
Pre-update:
Hack your God, make new char with scaffolding with page_access
Post-update:
Login with his page_access char and use scaffolding.
UPDATE accounts SET page_access = 0 WHERE page_access > 0;
Kayan
Active Member
SELECT *
FROM `accounts`
WHERE `page_access` >0
LIMIT 0 , 30
See if nobody still with acess > 0
FROM `accounts`
WHERE `page_access` >0
LIMIT 0 , 30
See if nobody still with acess > 0
report
New Member
- Joined
- May 21, 2010
- Messages
- 211
- Reaction score
- 2
Nostradamus
Member
- Joined
- Jun 2, 2007
- Messages
- 219
- Reaction score
- 6
Until all stop with that politic of including script plus scripts to boost websites with cool stuff without thinking on the consequences, this will happen. I was checking that both GesiorAAC and ModernAAC has serious issues related to XSS. I've checked deeply every $_POST and even $_REQUEST and i've seen that there is more possible issues. Also, the fix of the avatar upload in guild management of Gesior still is not safe, since it is not sufficient to check the extension of a file.
Still, there are ways of discoverying odd data changing on database by dataminig it with expect behaviors with triggers. I will try to write some and test with Trevours server, if it works, i might release it (or not).
You guys like to waste money on things for your servers: so i'd suggest to pay a good programmer to do a website. Get all together ot owners and do something, instead of only absorbing money from the work of developers.
Still, there are ways of discoverying odd data changing on database by dataminig it with expect behaviors with triggers. I will try to write some and test with Trevours server, if it works, i might release it (or not).
You guys like to waste money on things for your servers: so i'd suggest to pay a good programmer to do a website. Get all together ot owners and do something, instead of only absorbing money from the work of developers.
Last edited:
OP
OP
kito2
www.masteria.net
Thanks all, thanks Znote, thanks stian, now Im quiet...
Modern is the best AAC that I have used, and lot of people love using it... Maybe it should be for premium donators at otland, and you could have a % of the donations that are done...
Just an idea.
Modern is the best AAC that I have used, and lot of people love using it... Maybe it should be for premium donators at otland, and you could have a % of the donations that are done...
Just an idea.
Diazapam
!ROFLMAO!
Isn't there http://www.google.nl/search?hl=nl&&...pm3wL0F&ved=0CB0QvwUoAQ&q=possibility&spell=1a possibility to check every $_GET and $_POST for its contents, trim em and return em as $getoutput['name'] or $postoutput['name'].
Than with new scripts users can just use the $getoutput and $postoutput for their query's etc.
Just an idea I think would be possible.
Than with new scripts users can just use the $getoutput and $postoutput for their query's etc.
Just an idea I think would be possible.
OP
OP
kito2
www.masteria.net
I thought that TFS receive a % of the donations :S
Yea, we already remove alot of injection methods etc. Previously we add slashes to all post things, but it caused problems with POT features.
No, but many seem to believe that.
