• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security POT security warning!

Status
Not open for further replies.
Recently it was found, there's an important security hole in POT (for newbies: Gesior/Unnamed AAC uses it) which displays database connection information. Here's a fast solution for XAMPP users from Xampy, which everyone using POT for their AAC should apply:

Xampy said:
(...) I will tell you how to prevent hacks in your server:

MySQL Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL. Go to line 96~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }
And save the file.


SQLite Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite. Go to line 54~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.</font>';
			exit;
	}
And save the file.
Click to expand...

Basicaly, file names DO NOT change if you don't use XAMPP, only path (whats logic, btw...) to POT directory.
 
Click to expand...
Well yes, I've got this fix since ages.

But I'm getting just even more depressed everyday about people's mysql knowledge which is... I won't even comment it.

Even if someone has password, but mysql is set for localhost connections only or mysql port is blocked on firewall, he can do shit ;)
 
wrzasq said:
NO! Never do that! Damn how many times it should be told until people will understand. No, it's not POT security leak. It's final scripts (like Gesior AAC, Unnamed AAC) duty to deal with it and they should handle the exceptions! This exception is there for a reason - just to do what it does - inform script that connection failed. It's not POT's fault that authors can't work with exceptions. Fix AAC scripts, not POT code. I recommend to just set exception handler (not best, but least invasive way for current situation):

PHP: 
// handles critical exceptions
function exceptionHandler($exception)
{
    // fatal error, at all only fatals should be catched so far
    // other exceptions will be catched inside try statement and will be displayed in user-friendly site
    die('<pre style="font-weight: bold;">FATAL ERROR: ' . $exception->getMessage() . '</pre>');
}

set_exception_handler('exceptionHandler');

And no, this won't be fixed. This is not a _bug_ - learn how to work with exceptions!
Click to expand...

Totally Agree >.>

Gesior AAC is IMHO written very poor : X and should be generally rewritten.
 
Help I need the complete guide to create since(as,like) the web with sql
 
i use xampp... but i can't find
C:\xampp\htdocs\pot........... the pot isn't there

im new at mysql so i don't know really
 
Tulucus said:
i use xampp... but i can't find
C:\xampp\htdocs\pot........... the pot isn't there

im new at mysql so i don't know really
Click to expand...

If you don't have Gesior AAC or any other AAC that uses POT then you're fine. Else you'll have to add exeptions to the AAC (like wrzasq said) or you would have to do what Xampy said.
 
BlackDemon said:
yeah.. gesior aac sucks..
Click to expand...

I'd like to see you make one yourself, and then make fun of Gesior AAC. I bet you can't, so stfu if you're saying something is bad while you can't do it better yourself.
 
Tulucus said:
i use xampp... but i can't find
C:\xampp\htdocs\pot........... the pot isn't there

im new at mysql so i don't know really
Click to expand...

Then you don't have an AAC with pot, you don't need to change anything.
 
What if I got that POT but there isn't that stuff to change from...

Or maybe I am using too "new" stuff so it's different. What to do then?
 
ey! thank you very much, for my safety I porfin ot-servers, thank you for all this

Trejo~
 
Status
Not open for further replies.

Similar threads

222222
Linux How to build and install MariaDB from source - and how to secure your database.
Replies
2
Views
385
222222
222222
Back
Top