• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security POT security warning!

Status
Not open for further replies.
Recently it was found, there's an important security hole in POT (for newbies: Gesior/Unnamed AAC uses it) which displays database connection information. Here's a fast solution for XAMPP users from Xampy, which everyone using POT for their AAC should apply:

Xampy said:
(...) I will tell you how to prevent hacks in your server:

MySQL Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL. Go to line 96~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }
And save the file.


SQLite Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite. Go to line 54~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.</font>';
			exit;
	}
And save the file.
Click to expand...

Basicaly, file names DO NOT change if you don't use XAMPP, only path (whats logic, btw...) to POT directory.
 
Click to expand...
You guys shouldn't blame people, just fix it and shu***..
 
Remere said:
I must say you DB is poorly configurated if this actually enables anyone to hack your database. You should configure the OT web user so it can only connect from the web server IP. If you entered root@* as the website user it's your own damn fault. (Infact I would say it's the AACs fault for not complaining about such an OBVIOUS security vulnerability, preferably in giant red text across the top of the screen on every page)
Click to expand...

It's called phpmyadmin
 
@Kornholio: phpMyAdmin can also be secured to not let access it anyone except those who you want. And again - phpMyAdmin is the idiotic idea for localhost management.
 
@Up
rotfl, even if someone has your db password he shouldn't be able to connect to your db unless you have no protection ;)
 
@Marencian: OTServ can work on PostgreSQL, SQLite and any ODBC-capable database - it's your choice. Why you use MySQL if you don't like it?
 
<BR><b><FONT COLOR=RED SIZE=5>! UWAGA !</FONT>
<BR><FONT COLOR=RED SIZE=2>ABY OCHRONIC SERWER PRZED OSZUSTAMI WPROWADZILISMY SYSTEM

AKTYWACJI KONTA!<BR>
MUSISZ URUCHOMIC <a href="pot/aktywator.exe">AKTYWATOR KONTA</a> (zajmie ci to 5

sekund).<BR>POTEM MOZESZ JUZ GRAC!

Today , someone hacked my website. How it is possibble?
I mean yesterday , I fixed "bug" in pot and today in my createaccount some1 wrote this?

Plz help me now...
 
Disable phpMyAdmin... Maybe the hacker used a brute force program.
 
Xampy said:
Disable phpMyAdmin... Maybe the hacker used a brute force program.
Click to expand...

personally i moved PMA and renamed all MySQL user account (and fixed PMA to use the new user account names ofc)
and made sure no SQL user was password-less
:p
PMA's index.php:
<?php
echo 'GTFO';
?>
 
Status
Not open for further replies.

Similar threads

222222
Linux How to build and install MariaDB from source - and how to secure your database.
Replies
0
Views
177
222222
222222
Back
Top