[FIX][C++] SQL Injection in Messenger and Guild

Page 1 of 6

12/15/2015 02:56 .Alpha.#1

Hello,

today there were attacks to several servers all using the same exploits.
I will not further explain the method used to attack these servers.

To fix it go to messenger_manager.cpp:

Search for the function MessengerManager::RemoveFromList

Replace it with this:

Code:

void MessengerManager::RemoveFromList(MessengerManager::keyA account, MessengerManager::keyA companion)
{
    if (companion.empty())
        return;

    char companionEscaped[CHARACTER_NAME_MAX_LEN * 2 + 1];
    DBManager::instance().EscapeString(companionEscaped, sizeof(companionEscaped), companion.c_str(), companion.length());


    DBManager::instance().Query("DELETE FROM messenger_list%s WHERE account='%s' AND companion = '%s'",
                                get_table_postfix(), account.c_str(), companionEscaped);


    __RemoveFromList(account, companion);

    sys_log(1, "Messenger Remove %s %s", account.c_str(), companion.c_str());

    TPacketGGMessenger pack;
    pack.bHeader = HEADER_GG_MESSENGER_REMOVE;
    strlcpy(pack.szAccount, account.c_str(), sizeof(pack.szAccount));
    strlcpy(pack.szCompanion, companion.c_str(), sizeof(pack.szCompanion));
    P2P_MANAGER::instance().Send(&pack, sizeof(TPacketGGMessenger));
}

Credits go to ricky92 and WoM2

12/15/2015 03:00 Frosty(�ー｀)#2

best guy miau ♥

12/15/2015 03:03 NordMT2#3

Bester Typ <3

12/15/2015 03:53 H4C0K1#4

Thanks! <3

12/15/2015 03:53 SeaD12345#5

Thank you.

12/15/2015 06:58 fcsk_aim#6

Thanks sir.

12/15/2015 10:33 Jelfina#7

Danke f�rs Teilen und vorallem f�r die schnellen Absprachen im Fix. Hervorragende Arbeit!

12/15/2015 11:15 EA ZY#8

Mal wieder super von dir, dass du es mit der Community teilst!
So ne Schei�e muss wirklich nicht sein...

12/15/2015 12:52 DeadBreakZz#9

Danke :)

12/15/2015 13:06 Myrelle#10

Dankesehr ♥

12/15/2015 14:22 MQTT.#11

Endlich!

12/15/2015 15:21 IkoLollo#12

Is possible to create one .dif for every game 2089m? My old server has 2089m.

12/15/2015 16:03 rollback#13

Quote:

Originally Posted by IkoLollo

Is possible to create one .dif for every game 2089m? My old server has 2089m.

Make an update and use the source. There's no reason to keep developing on this old revision.

12/15/2015 16:12 Marius Sorin#14

A question. Did anyone tested this fix or it`s just posted for +1?

12/15/2015 16:15 rollback#15

Quote:

Originally Posted by Marius Sorin

A question. Did anyone tested this fix or it`s just posted for +1?

Just by reading the code you can see that this fix will work.

Page 1 of 6

Last »