Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Plus Emulator] Bot Speech Exploit Fix

Initiate Mage
Joined
Nov 7, 2017
Messages
4
Reaction score
1
Hi RaGEZONE,
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.

It is shown here:
Verted - [Plus Emulator] Bot Speech Exploit Fix - RaGEZONE Forums




Here's the fix which completely removes any form of string upon saving bot speeches.

Go to SaveBotActionEvent.cs and find:
Code:
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR]
                        { [COLOR=#474B51]                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]


Replace that with:

Code:
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR]                        {
                            SpeechData[i] = Regex.Replace(SpeechData[i], "<(.|\\n)*?>", string.Empty);
[COLOR=#474B51]                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]

Happy days.
 
Initiate Mage
Joined
Nov 7, 2017
Messages
4
Reaction score
1
This is old news. Already fixed clientside I thought. Which Habbo.swf revision you were using?
Plus Revision 2, not sure which production though. Can check this later if I can be fucked.

Fixing it serverside is always better than let the client handle stuff like this. It's oke as a first measurement against invalid input, but the server should always do it too!
True.
 
Initiate Mage
Joined
Dec 30, 2013
Messages
19
Reaction score
1
I've tested this bug on Plus Emulator R2 by Sledmore and it are affect.

EDIT: Thank you for this fix.
 
Last edited:
Back
Top