Holo security fix #2
Good evening habboons! You are lucky today, thanks to good ole Niggus + Aaron from ForceHotel.com, another SQL vulnerability in the emulator was detected. Well, actually ‘thanks’ to the scriptkiddies that tried to abuse it…
We were discussing the weak security of running MySQL under it’s almighty root account, and after I told him to create a limited account and disable file functions etc for it, errors showed up in the server log. A scriptkiddie was using this SQL vulnerability in an attempt to create a new database table, but was caught in the act: he failed to use it properly thus leading into errors in the server log, notifying Aaron of a SQL exploit. Congratulations, the ‘I failed at haxing’-award goes out to you. 
This is a SQL vulnerability, which allows badguys to execute any SQL query that they want at your database. This includes modifying data, but, under an insecure server setup, creation of new files in the filesystem like shells etc: so they can take over your server and stuff! Bad times! How to fix?
1) Open up virtualUser.cs of the emulator sourcecode
2) Search for:
dbClient.runQuery(“UPDATE users_badges SET slotid = ‘” + slotID + “‘ WHERE userid = ‘” + this.userID + “‘ AND badgeid = ‘” + Badge + “‘ LIMIT 1″); // update slot
replace it with…
dbClient.AddParamWithValue(“badge”, Badge);
dbClient.runQuery(“UPDATE users_badges SET slotid = ‘” + slotID + “‘ WHERE userid = ‘” + this.userID + “‘ AND badgeid = @badge LIMIT 1″); // update slot
3) Save and recompile
Woop, another SQL vulnerability patch. Provided free of charge by Pvt. Nillus, with help from ForceHotel and a noob scripter.
Another tip: don’t use MySQL’s root user for your private server: it’s not safe. Create a limited account like ‘holo_user’, and only give it access to SELECT, UPDATE, INSERT, DELETE. Then configure your emulator and CMS to use this account. This prevents them from using the file functions, incase they find a SQL exploit. Good evening boons, and stay safe. 
Don’t forget to apply the previously published fix too, it’s another SQL vulnerability in the emulator: click here for the other patch
Also, if you are feeling generous: you can always donate to me with PayPal. Any amount is welcome, I have never charged money for my work so any amount is welcome. Thank you!
Also: Angelo check it out.
Thanks for this. I’ve been making adjustments like this for awhile now thanks to Jordan tipping me off a couple weeks ago. Glad ForceHotel and you managed to figure this one out, because I was nowhere near patching that up with Params.
I’m glad to help out.
Thanks for calling me a n00bscripter :@
- Martin
When you give a man power his true self shows or so when the man finds the power Destruction occurs.
Ik praat maar even Nederlands omdat ik weet dat je een Nederlander ben.
Zoals je ziet is op leethotel.com jouw naam weg gehaald.
Thanks in advance.
When i updated my server with this fix, all of the badges at the hotel didnt work anymore. Can you help me?:)
I Fixed that SQL vulnerability ! After compiling , i saw 41 Error .
Is That Normal ?
I think the SQL Patch should be re-writen .
Special thanks to Nillus .