Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[How To]HabboHotel community security (fixing exploits, tricks, missing features etc)

Status
Not open for further replies.
Experienced Elementalist
Joined
Jun 16, 2010
Messages
249
Reaction score
76
[How To] Habbo Hotel Security/Optimize Peformance [Important]

HabboHotel - Security

During my brief time at the HabboHotel community, I noticed that almost every site (90%) had simple stuff, from sql injections - xss, to webdav hacking open. Below will be a list of guides to fix up a majority of the security issues HabboHotel servers are having. The security fixes (most of them) do not have to do with the CMS, nor the database etc. The fixes can be used for any game, but HabboHotel servers seem to need it the most.

NOTE: These are only some of the many wholes a lot of the Hotels have. I will post more security fix's (guides) in the future when I get a chance.

-------
Exploit #1 (WebDav)
-------

How do I know if this could apply to me?
  • Your HabboHotel server and/or website is hosted on your computer, vps, or dedicated server.
  • To host your server you're using any of the following web servers; XAMPP, WAMPP.
  • You have apache running on your computer, vps, or dedicated server.

How do I check if this applies to me?

Go to the start menu on your computer, find "Computer". Right click and press "Map Network Drive". For the folder location, enter "http://yourwebsiteorip.com/webdav/". If it connects, and shows a login screen, you're vulnerable to this.

Go to "http://yourwebsiteorip.com/webdav/" in your web browser. If a webdav test page pops up, you're vulnerable to this unless you already did the guide to fix it (suggested you do the top test to be sure).

How do I fix this?

Go into the XAMPP folder located in C:\XAMPP\. Go into apache > conf > extra > httpd-dav.conf (open that file).

Find the following line:

Code:
<Directory "C:/xampp/webdav">
Dav On

Order Allow,Deny
Allow from all

Replace it with the following line:

Code:
<Directory "C:/xampp/webdav">
Dav [COLOR="Red"]Off[/COLOR]

Order [COLOR="red"]Deny[/COLOR],[COLOR="red"]Allow[/COLOR]
[COLOR="red"]Deny[/COLOR] from all

Once you've saved the changes, restart your web server and you're set to go.

-------
Exploit #2 (Mass Accounts Per IP)
-------

A lot of hotels suffer from people avoiding ban, creating mass accounts etc without any restriction. Below is how you can "fix" this problem, and limit accounts per IP address.

Code:
$limit = 5; //Limit of accounts per IP (set this number 1-99)
$ip_check = mysql_query("SELECT * FROM users WHERE ip_last = '$_SERVER[REMOTE_ADDR]'");
$count = mysql_num_rows($ip_check);

if ($count > $limit) {
die ("The following IP address (<strong>" . $_SERVER['REMOTE_ADDR'] . "</strong>) has too many active accounts therefore you cannot create another.");
}

Simply add the code above somewhere in your register script and it will prevent users from creating a massive amount of accounts (does not include proxy protection).

NOTE: This will only keep the noobs out (80% of the habbo players, if not 90%). It does not protect against the use of proxies or any type of IP changing program (includes resetting of the modem).

-------
Credits
-------

NOTE: More guides will be added in the future, if you have any questions or concerns or would like me to add a specific guide, let me know via msn (thejacobpollack@gmail.com).

Code:
TheJacob 100%
 
Last edited:
Status
Not open for further replies.
Back
Top