• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • If you're using Gesior 2012 or MyAAC, please review this thread for information about a serious security vulnerability and a fix.

MyAAC v0.8.6

OP
OP
slaw

slaw

MyAAC Creator
Premium User
Joined
Aug 27, 2007
Messages
3,395
Solutions
108
Reaction score
861
Location
Germany
GitHub
slawkens
Twitch
PL_Flamaster
Hello everybody!

There has been an issue discovered recently, that can lead to completely takeover of your server.

If you are using any version of MyAAC starting from 0.8.0 up to 0.8.5 (this issue has been fixed in 0.8.6) read below!!!

If you see in Plugins page in your Admin Panel that the plugin "Security Patch #2020-06-21-01" has been installed, that means you are safe.
1625950168368.png

The Fix is available on GitHub, apply as needed: This is the actual security fix · slawkens/[email protected] (https://github.com/slawkens/myaac/commit/a2a773d714509654d95f6b559c186db29ce1eafb)

I patched automatically over 80 websites using MyAAC. But there still may be some websites under development that doesn't know about this.
So I write this post, to make you safe against this vulnerability.
 

Shadow_

Veteran OT User
Joined
Jun 2, 2018
Messages
967
Solutions
31
Reaction score
374
Hello everybody!

There has been an issue discovered recently, that can lead to completely takeover of your server.

If you are using any version of MyAAC starting from 0.8.0 up to 0.8.5 (this issue has been fixed in 0.8.6) read below!!!

If you see in Plugins page in your Admin Panel that the plugin "Security Patch #2020-06-21-01" has been installed, that means you are safe.
View attachment 60189

The Fix is available on GitHub, apply as needed: This is the actual security fix · slawkens/[email protected] (https://github.com/slawkens/myaac/commit/a2a773d714509654d95f6b559c186db29ce1eafb)

I patched automatically over 80 websites using MyAAC. But there still may be some websites under development that doesn't know about this.
So I write this post, to make you safe against this vulnerability.
Lmao, so it was you. This guy is dangerous xD from no where i found security log and updated on my site, cool break through if you didn't add like a patching system or something in myaac, btw thanks for the fix!
 

Chriistian.L.B

Well-Known Member
Joined
Apr 17, 2008
Messages
197
Solutions
4
Reaction score
89
Hello everybody!

There has been an issue discovered recently, that can lead to completely takeover of your server.

If you are using any version of MyAAC starting from 0.8.0 up to 0.8.5 (this issue has been fixed in 0.8.6) read below!!!

If you see in Plugins page in your Admin Panel that the plugin "Security Patch #2020-06-21-01" has been installed, that means you are safe.
View attachment 60189

The Fix is available on GitHub, apply as needed: This is the actual security fix · slawkens/[email protected] (https://github.com/slawkens/myaac/commit/a2a773d714509654d95f6b559c186db29ce1eafb)

I patched automatically over 80 websites using MyAAC. But there still may be some websites under development that doesn't know about this.
So I write this post, to make you safe against this vulnerability.


Some of my pages stopped work after this commit, report is page is not found, but just my shop page you know how i can fix it ?
 

GOD Coke

Mapper
Joined
Nov 25, 2015
Messages
58
Reaction score
12
Location
Dominican Republic
I just started using myaac and installed everything fine but when i create an account the passwords are encrypted in another way than sha1, and in the config.lua i have sha1, i use tfs 0.4 what should i do?
 

Elgenady

Veteran OT User
Joined
Aug 5, 2011
Messages
1,623
Solutions
34
Reaction score
317
I just started using myaac and installed everything fine but when i create an account the passwords are encrypted in another way than sha1, and in the config.lua i have sha1, i use tfs 0.4 what should i do?
go to ur database and remove salt from accounts table and then in config.local.php set env to "dev" and then you will need to create account again and then try to login

edit
don't remove the account have char druid and knight sample
 

Itutorial

Excellent OT User
Joined
Dec 23, 2014
Messages
2,141
Solutions
61
Reaction score
762
The future is here! Let people completely take over your server!
 

Leesne

i r peekay
Joined
Dec 4, 2017
Messages
353
Solutions
34
Reaction score
202
Location
UK
I haven't had a look at Znote, no platform or AAC is ever 100% secure.
Znote and MyAAC have had a lot of effort put into them to ensure they are secure (I haven't used other AAC's so cannot judge).

No-one was aware this issue even existed and the only person I told was Slaw after I discovered it.
If it hadn't been announced and silently patched out in future updates no-one would have even be aware of it (Its been in many versions).
 

Leesne

i r peekay
Joined
Dec 4, 2017
Messages
353
Solutions
34
Reaction score
202
Location
UK
maybe send an email to the email in the notice.
It was silently patched because if users were made aware of it they could exploit it on the top websites and take over a server how ever they deemed fit.
Much better than me saying "HEY EVERYONE JUST SO YOU KNOW IF YOU XYZ YOU CAN TAKE OVER A SERVER".

I think it was handled by Slaw, exactly how it should have been.
 

pink_panther

Premium User
Premium User
Joined
Sep 10, 2016
Messages
939
Solutions
13
Reaction score
418
Location
Kazordoon
It was silently patched because if users were made aware of it they could exploit it on the top websites and take over a server how ever they deemed fit.
Much better than me saying "HEY EVERYONE JUST SO YOU KNOW IF YOU XYZ YOU CAN TAKE OVER A SERVER".

I think it was handled by Slaw, exactly how it should have been.

I was replying to a comment that was removed :/

Makes no sense now.
 

Raikou

Active Member
Joined
Jul 18, 2007
Messages
130
Solutions
2
Reaction score
47
@slaw
I think the part from character creation with the skills isn't working properly:
CreateCharacter.php
PHP:
        for($skill = POT::SKILL_FIRST; $skill <= POT::SKILL_LAST; $skill++)
            $player->setSkill($skill, 10);

Even though my example knight/paladin have 30 shielding, they will always get the skill 10 as set above.
Is it possible to also set the right skills from the example characters?
 

Leesne

i r peekay
Joined
Dec 4, 2017
Messages
353
Solutions
34
Reaction score
202
Location
UK
@slaw
I think the part from character creation with the skills isn't working properly:
CreateCharacter.php
PHP:
        for($skill = POT::SKILL_FIRST; $skill <= POT::SKILL_LAST; $skill++)
            $player->setSkill($skill, 10);

Even though my example knight/paladin have 30 shielding, they will always get the skill 10 as set above.
Is it possible to also set the right skills from the example characters?
PHP:
$player->setSkill($skill, $char_to_copy->getSkill($skill));

try something like that
 

Alkenyx

Member
Joined
Jun 6, 2014
Messages
97
Solutions
1
Reaction score
15
Location
Germany
Is it possible to show only the monsters I have in my spawn-file?
If it's the basic setting, how can I get it back after using this plugin?
 
Top