- Joined
- Jun 16, 2010
- Messages
- 249
- Reaction score
- 76
[How To] Habbo Hotel Security/Optimize Peformance [Important]
During my brief time at the HabboHotel community, I noticed that almost every site (90%) had simple stuff, from sql injections - xss, to webdav hacking open. Below will be a list of guides to fix up a majority of the security issues HabboHotel servers are having. The security fixes (most of them) do not have to do with the CMS, nor the database etc. The fixes can be used for any game, but HabboHotel servers seem to need it the most.
NOTE: These are only some of the many wholes a lot of the Hotels have. I will post more security fix's (guides) in the future when I get a chance.
-------
Exploit #1 (WebDav)
-------
How do I know if this could apply to me?
How do I check if this applies to me?
Go to the start menu on your computer, find "Computer". Right click and press "Map Network Drive". For the folder location, enter "http://yourwebsiteorip.com/webdav/". If it connects, and shows a login screen, you're vulnerable to this.
Go to "http://yourwebsiteorip.com/webdav/" in your web browser. If a webdav test page pops up, you're vulnerable to this unless you already did the guide to fix it (suggested you do the top test to be sure).
How do I fix this?
Go into the XAMPP folder located in C:\XAMPP\. Go into apache > conf > extra > httpd-dav.conf (open that file).
Find the following line:
Replace it with the following line:
Once you've saved the changes, restart your web server and you're set to go.
-------
Exploit #2 (Mass Accounts Per IP)
-------
A lot of hotels suffer from people avoiding ban, creating mass accounts etc without any restriction. Below is how you can "fix" this problem, and limit accounts per IP address.
Simply add the code above somewhere in your register script and it will prevent users from creating a massive amount of accounts (does not include proxy protection).
NOTE: This will only keep the noobs out (80% of the habbo players, if not 90%). It does not protect against the use of proxies or any type of IP changing program (includes resetting of the modem).
-------
Credits
-------
NOTE: More guides will be added in the future, if you have any questions or concerns or would like me to add a specific guide, let me know via msn (thejacobpollack@gmail.com).
HabboHotel - Security
During my brief time at the HabboHotel community, I noticed that almost every site (90%) had simple stuff, from sql injections - xss, to webdav hacking open. Below will be a list of guides to fix up a majority of the security issues HabboHotel servers are having. The security fixes (most of them) do not have to do with the CMS, nor the database etc. The fixes can be used for any game, but HabboHotel servers seem to need it the most.
NOTE: These are only some of the many wholes a lot of the Hotels have. I will post more security fix's (guides) in the future when I get a chance.
-------
Exploit #1 (WebDav)
-------
How do I know if this could apply to me?
- Your HabboHotel server and/or website is hosted on your computer, vps, or dedicated server.
- To host your server you're using any of the following web servers; XAMPP, WAMPP.
- You have apache running on your computer, vps, or dedicated server.
How do I check if this applies to me?
Go to the start menu on your computer, find "Computer". Right click and press "Map Network Drive". For the folder location, enter "http://yourwebsiteorip.com/webdav/". If it connects, and shows a login screen, you're vulnerable to this.
Go to "http://yourwebsiteorip.com/webdav/" in your web browser. If a webdav test page pops up, you're vulnerable to this unless you already did the guide to fix it (suggested you do the top test to be sure).
How do I fix this?
Go into the XAMPP folder located in C:\XAMPP\. Go into apache > conf > extra > httpd-dav.conf (open that file).
Find the following line:
Code:
<Directory "C:/xampp/webdav">
Dav On
Order Allow,Deny
Allow from all
Replace it with the following line:
Code:
<Directory "C:/xampp/webdav">
Dav [COLOR="Red"]Off[/COLOR]
Order [COLOR="red"]Deny[/COLOR],[COLOR="red"]Allow[/COLOR]
[COLOR="red"]Deny[/COLOR] from all
Once you've saved the changes, restart your web server and you're set to go.
-------
Exploit #2 (Mass Accounts Per IP)
-------
A lot of hotels suffer from people avoiding ban, creating mass accounts etc without any restriction. Below is how you can "fix" this problem, and limit accounts per IP address.
Code:
$limit = 5; //Limit of accounts per IP (set this number 1-99)
$ip_check = mysql_query("SELECT * FROM users WHERE ip_last = '$_SERVER[REMOTE_ADDR]'");
$count = mysql_num_rows($ip_check);
if ($count > $limit) {
die ("The following IP address (<strong>" . $_SERVER['REMOTE_ADDR'] . "</strong>) has too many active accounts therefore you cannot create another.");
}
Simply add the code above somewhere in your register script and it will prevent users from creating a massive amount of accounts (does not include proxy protection).
NOTE: This will only keep the noobs out (80% of the habbo players, if not 90%). It does not protect against the use of proxies or any type of IP changing program (includes resetting of the modem).
-------
Credits
-------
NOTE: More guides will be added in the future, if you have any questions or concerns or would like me to add a specific guide, let me know via msn (thejacobpollack@gmail.com).
Code:
TheJacob 100%
Last edited: