• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security POT security warning!

Status
Not open for further replies.
Recently it was found, there's an important security hole in POT (for newbies: Gesior/Unnamed AAC uses it) which displays database connection information. Here's a fast solution for XAMPP users from Xampy, which everyone using POT for their AAC should apply:

Xampy said:
(...) I will tell you how to prevent hacks in your server:

MySQL Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL. Go to line 96~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }
And save the file.


SQLite Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite. Go to line 54~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.</font>';
			exit;
	}
And save the file.
Click to expand...

Basicaly, file names DO NOT change if you don't use XAMPP, only path (whats logic, btw...) to POT directory.
 
Click to expand...
I must say you DB is poorly configurated if this actually enables anyone to hack your database. You should configure the OT web user so it can only connect from the web server IP. If you entered root@* as the website user it's your own damn fault. (Infact I would say it's the AACs fault for not complaining about such an OBVIOUS security vulnerability, preferably in giant red text across the top of the screen on every page)
 
fellesh said:
Check Wrzasq and Gesiors posts and you will see that you are all wrong -.-
Click to expand...

He says that his AAC isn't safe if you don't change that:
Gesior.pl said:
IS NOT safe, add this fix to pot in acc. maker, i'll post new version of acc. maker 20.06.2009 with other way to fix this bug (as Wrzasq said acc. maker should 'handle the exception')
Click to expand...
 
You can also safely use the $e->getMessage() in the exception for error handling, I'm using that in TFSCMS (no, it's not using POT, but PDO is an option for those who want to use it). In case anyone is interested, here is my PDO database class (with error handling part in bold):
Code: 
<?php
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 * TFSCMS - The Forgotten Server Content Management System
 * * * * * * * * * * * * * * * * ' * * * * * * * * * * * * * * * * *
 * Copyright (c) Mark Samman 2008 - 2009 <[email protected]>
 * All Rights Reserved.
 * This file may not be redistributed in whole or significant part.
 * http://otland.net
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

class Database_PDO extends Database
{
	private $pdo;

	public function __construct()
	{
		global $config;
		try {
			$this->pdo = new PDO('mysql:dbname=' . $config['sqlDatabase'] . ';host=' . $config['sqlHost'], $config['sqlUser'], $config['sqlPassword']);
		} [B]catch (PDOException $e) {
			unset($this->pdo);
			die('<span style="font-weight: 700">Database connection failed, reason:</span><br /><pre>	' . $e->getMessage() . '</pre>');
		}[/B]
	}

	public function __destruct()
	{
		if ($this->pdo)
			unset($this->pdo);
	}

	public function query($str)
	{
		try {
			$result = $this->pdo->query($str);
		} catch (PDOException $e) {
			die('<span style="color: #C00"><span class="bold">Error: </span>' . $e->getMessage() . '<br />Query: ' . $str . '</span>');
		}
		return $result;
	}

	public function escapePatternString($str)
	{
		return $this->pdo->quote('%' . str_replace('%', '\\%', str_replace('_', '\\_', $str)) . '%');
	}

	public function escapeString($str)
	{
		return $this->pdo->quote($str);
	}

	public function getNumRows($result)
	{
		return $result->rowCount();
	}

	public function fetchRow($result)
	{
		return $result->fetch();
	}

	public function freeResult($result)
	{
		$result->closeCursor();
		unset($result);
	}
}
?>

Kiel said:
GESIOR Bug not POT.

Hi, bye.
Click to expand...

Gesior is using POT (not sure if it's using the latest version though so I can't really blame POT for this), and if SQL connection fails it will throw up your password.
 
sorry for this nooby question xD :- i opened that file using word pad and i've changed it and when i save it says warning, blabla for formatting of the file i clicked yes its ok to do that right?
 
Mmmm, yes... xD (Gesior & Elf too if he want, but me too! :().
 
elf is hacker o_O. Maybe he gives a bug in it so he can hack every ot he wants! Most people don't know the code anyways:D
 
Sir Shutter said:
sorry for this nooby question xD :- i opened that file using word pad and i've changed it and when i save it says warning, blabla for formatting of the file i clicked yes its ok to do that right?
Click to expand...

Notice that you shouldn't copy it below the line, you should remove the line and then copy and paste the text/code.

@ Master-m: It's not that hard to read :D
 
@Chipsen:
Thanks!

@Master-m:
Elf a hacker :eek: [0MG] xDDD
 
Status
Not open for further replies.

Similar threads

222222
Linux How to build and install MariaDB from source - and how to secure your database.
Replies
0
Views
177
222222
222222
Back
Top