Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Security fix for Frag Frog package

Custom Title Activated
Loyal Member
Joined
Aug 8, 2004
Messages
3,892
Reaction score
20
IMPORTANT SECURITY FIX FROGMU WEBPACKAGE

I recently discovered that a default Appserv installation DOES NOT protect your config.htpasswd file. This means that any smart hacker can get your username and password! I tested it myself and easily got the SQL server login username and password for someone's private server!

HOW TO FIX
quite easy, luckily. Open your Appserv configuration files. You can do this by either going to your start menu -> Programs -> Appserv -> Apache Configure Server -> Edit the httpd.conf Configuration file. Another way of opening it is going to your webserver folder (probably in c:\program files\appserv\), apache -> conf -> httpd.conf

You can open this file using a text-editor as notepad

Now, find the line that says
Code:
# Also, folks tend to use nameas such as .htpasswd for their password
# files, so this will protect those as well.
#

This should be around line 407.

Below these lines you will find something like '<files ~"^/.ht"> stuff here </files>

REPLACE THAT WITH
Code:
<Files *.ht*>
Deny From All
</Files>

Now, save the file and restart apache (using the Apache service monitor, or trough your start menu -> programs -> appserv -> Apache Control Server -> Restart)

Applies To:
FrogMu Webpackage 2.0 beta


How to test this:
I dare not publish here how you can test it since scriptkiddo's will probably abuse it, if you're not 100% sure its secure PM me and I'll test it for you.
 
Last edited:
Newbie Spellweaver
Joined
Dec 24, 2004
Messages
5
Reaction score
0
Thanks man !! you are really something !!

Keep the VERY good job !!!
You are wonderful !
 
Custom Title Activated
Loyal Member
Joined
Dec 31, 2004
Messages
4,091
Reaction score
25
rofl i was just looking for this :>
 
Custom Title Activated
Loyal Member
Joined
Feb 27, 2004
Messages
1,378
Reaction score
50
all those intruction or u can put this inside ur config.htpasswd

if (stristr($_SERVER['PHP_SELF'], "config.htpasswd") AND stristr($_SERVER['SCRIPT_NAME'], "config.htpasswd")) { die ("Access Denied kiddies!!!"); **
-- note: cant remember if it is config.htpasswd .. just replace that with ur config filename
remember to put below the <?
 
Last edited:
Custom Title Activated
Loyal Member
Joined
Dec 31, 2004
Messages
4,091
Reaction score
25
where abouts? lol this sounds so dumb!
 
Custom Title Activated
Loyal Member
Joined
Aug 8, 2004
Messages
3,892
Reaction score
20
john_d said:
all those intruction or u can put this inside ur config.htpasswd
-- note: cant remember if it is config.htpasswd .. just replace that with ur config filename
remember to put below the <?
Thats an option too ofcourse, but if they host anything else on their server thats prolly insecure as well - default Appserv install lets anyone see folder contents and download any file it doesn't recognise. Better secure your apache then secure every folder you have ;)
 
Newbie Spellweaver
Joined
Apr 6, 2005
Messages
89
Reaction score
8

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.


you no have server muonline ?
only like make the page for all ppl on ragezone ? :)
sorry for my english :)
 
Master Summoner
Loyal Member
Joined
Mar 5, 2007
Messages
507
Reaction score
0
Re: [Release] Security fix for Frag Frog package

Insider , read ur PM
 
Newbie Spellweaver
Joined
Oct 26, 2006
Messages
52
Reaction score
0
Re: [Release] Security fix for Frag Frog package

Frog Best of the best web template :)
 
Back
Top