• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security POT security warning!

Status
Not open for further replies.
Recently it was found, there's an important security hole in POT (for newbies: Gesior/Unnamed AAC uses it) which displays database connection information. Here's a fast solution for XAMPP users from Xampy, which everyone using POT for their AAC should apply:

Xampy said:
(...) I will tell you how to prevent hacks in your server:

MySQL Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_MySQL. Go to line 96~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('mysql:' . implode(';', $dns), $user, $password);
    }
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('mysql:' . implode(';', $dns), $user, $password);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to MySQL database.</font>';
			exit;
	}
    }
And save the file.


SQLite Users
Go to C:\xampp\htdocs\pot and open the file OTS_DB_SQLite. Go to line 54~ and:
Change:
Code: 
        // PDO constructor
        parent::__construct('sqlite:' . $params['database']);
with:
Code: 
        // PDO constructor
	try
	{
		parent::__construct('sqlite:' . $params['database']);
	}
	catch(PDOException $error)
	{
		echo 'Can\'t connect to SQLite database.</font>';
			exit;
	}
And save the file.
Click to expand...

Basicaly, file names DO NOT change if you don't use XAMPP, only path (whats logic, btw...) to POT directory.
 
Click to expand...
Thanks a lot ! Omg, now i know how a guy hacked my site and everything :p
 
Thanks for this, I changed my DB_MySQL in the pot folder immediately when I saw this thread.
 
NO! Never do that! Damn how many times it should be told until people will understand. No, it's not POT security leak. It's final scripts (like Gesior AAC, Unnamed AAC) duty to deal with it and they should handle the exceptions! This exception is there for a reason - just to do what it does - inform script that connection failed. It's not POT's fault that authors can't work with exceptions. Fix AAC scripts, not POT code. I recommend to just set exception handler (not best, but least invasive way for current situation):

PHP: 
// handles critical exceptions
function exceptionHandler($exception)
{
    // fatal error, at all only fatals should be catched so far
    // other exceptions will be catched inside try statement and will be displayed in user-friendly site
    die('<pre style="font-weight: bold;">FATAL ERROR: ' . $exception->getMessage() . '</pre>');
}

set_exception_handler('exceptionHandler');

And no, this won't be fixed. This is not a _bug_ - learn how to work with exceptions!
 
Last edited:
Wrzasq has right. The AAC scripters should secure their script. GesiorAAC for example is secured by this code:
PHP: 
//connect to MySQL database
	try
	{
		$ots->connect(POT::DB_MYSQL, array('host' => $mysqlhost, 'user' => $mysqluser, 'password' => $mysqlpass, 'database' => $mysqldatabase) );
	}
	catch(PDOException $error)
	{
	    echo 'Database error - can\'t connect to MySQL database. Possible reasons:<br>1. MySQL server is not running on host.<br>2. MySQL user, password, database or host isn\'t configured in: <b>'.$config['site']['server_path'].'config.lua</b> .<br>3. MySQL user, password, database or host is wrong.';
		exit;
	}

PDO in POT is configured to throw exceptions. And the code above is catching PDO Exception so no data's will be show in report if error exist.
 
Status
Not open for further replies.
Back
Top