• Unfortunately, we have experienced significant hard drive damage that requires urgent maintenance and rebuilding. The forum will be a state of read only until we install our new drives and rebuild all the configurations needed. Please follow our Facebook page for updates, we will be back up shortly! (The forum could go offline at any given time due to the nature of the failed drives whilst awaiting the upgrades.) When you see an Incapsula error, you know we are in the process of migration.

[Plus Emulator] Bot Speech Exploit Fix

V

Verted

Initiate Mage
Joined
Nov 7, 2017
Messages
4
Reaction score
1
Hi RaGEZONE,
I recently came across an "exploit" that allows users to bypass the bad HTML filter on bot speech setup.
Normally for example <font size="200"> and </font> would be blocked, but by simply using <FONT SIZE="200"> and </FONT> in capitals, you can bypass the filter. I also believe you can work around it with other variations too like "FoNT" or "fOnT" - but I do not remember. 200 is not the font size limit, you can make it go much higher and take up the whole screen. I have not tested this with alot of other HTML, but I'm sure this could be used to do much more malicious things.

It is shown here:
You must be registered to see links

Verted - [Plus Emulator] Bot Speech Exploit Fix - RaGEZONE Forums




Here's the fix which completely removes any form of string upon saving bot speeches.

Go to SaveBotActionEvent.cs and find:
Code: 
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR]
                        { [COLOR=#474B51]                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]


Replace that with:

Code: 
[COLOR=#474B51]for (int i = 0; i <= SpeechData.Length - 1; i++)[/COLOR]                        {
                            SpeechData[i] = Regex.Replace(SpeechData[i], "<(.|\\n)*?>", string.Empty);
[COLOR=#474B51]                            using (IQueryAdapter dbClient = DatabaseManager.GetQueryReactor())[/COLOR]

Happy days.
 
The Best DDoS Protected Servers
V

Verted

Initiate Mage
Joined
Nov 7, 2017
Messages
4
Reaction score
1
streamhotel said:
This is old news. Already fixed clientside I thought. Which Habbo.swf revision you were using?
Click to expand...
Plus Revision 2, not sure which production though. Can check this later if I can be fucked.

Joopie said:
Fixing it serverside is always better than let the client handle stuff like this. It's oke as a first measurement against invalid input, but the server should always do it too!
Click to expand...
True.
 
D

DinamicUser

Newbie Spellweaver
Joined
Dec 30, 2013
Messages
19
Reaction score
1
I've tested this bug on Plus Emulator R2 by Sledmore and it are affect.

EDIT: Thank you for this fix.
 
Last edited:
You must log in or register to reply here.

About Us

RaGEZONEĀ® is a website dedicated to the development of massively multiplayer online role-playing games (MMORPGs).

Online statistics

Members online
161
Guests online
11,119
Total visitors
11,280
Totals may include hidden visitors.

Forum statistics

Threads
429,198
Messages
4,590,913
Members
281,311
Latest member
ismodev
Most visitors online was 12720 , on 2 May 2024

RaGEZONE Sponsor

    HyperFilter
Back
Top