Good evening habboons! You are lucky today, thanks to good ole Niggus + Aaron from ForceHotel.com, another SQL vulnerability in the emulator was detected. Well, actually ‘thanks’ to the scriptkiddies that tried to abuse it…
We were discussing the weak security of running MySQL under it’s almighty root account, and after I told him to create a limited account and disable file functions etc for it, errors showed up in the server log. A scriptkiddie was using this SQL vulnerability in an attempt to create a new database table, but was caught in the act: he failed to use it properly thus leading into errors in the server log, notifying Aaron of a SQL exploit. Congratulations, the ‘I failed at haxing’-award goes out to you.
This is a SQL vulnerability, which allows badguys to execute any SQL query that they want at your database. This includes modifying data, but, under an insecure server setup, creation of new files in the filesystem like shells etc: so they can take over your server and stuff! Bad times! How to fix?
1) Open up virtualUser.cs of the emulator sourcecode
2) Search for:
dbClient.runQuery(“UPDATE users_badges SET slotid = ‘” + slotID + “‘ WHERE userid = ‘” + this.userID + “‘ AND badgeid = ‘” + Badge + “‘ LIMIT 1″); // update slot
replace it with…
dbClient.AddParameterWithValue(“badge”, Badge);
dbClient.runQuery(“UPDATE users_badges SET slotid = ‘” + slotID + “‘ WHERE userid = ‘” + this.userID + “‘ AND badgeid = @badge LIMIT 1″); // update slot
3) Save and recompile
Woop, another SQL vulnerability patch. Provided free of charge by Pvt. Nillus, with help from ForceHotel and a noob scripter.
Another tip: don’t use MySQL’s root user for your private server: it’s not safe. Create a limited account like ‘holo_user’, and only give it access to SELECT, UPDATE, INSERT, DELETE. Then configure your emulator and CMS to use this account. This prevents them from using the file functions, incase they find a SQL exploit. Good evening boons, and stay safe.
