minigutza

this error is still present? somebody else noticed that too?

I restarted the clients many times till i got it. I couldn't reproduce it in map1, i am in sd3 but i think it was just an coincidence. Thanks a lot.

I have a pack with m2m weps. I hope this is what you want: [Hidden Content]

Hello guys and happy easter. I discovered a bug in my client which makes the info bar from the character (duels, trade, friend request etc) to not be shown sometimes. I need to reopen the client to works. I checked on google about this bug first of all and i saw it could be a problem with my uitarget.py? I tried to change it, replace it from another client, compare it (with one from another client) but without succes. If you need the syserr or the uitarget itself i can give it to you. I would appreciate some help. Thanks a lot.

Hello guys, I discovered something weird in my client. I can't block any boss in the walls. Doesn't matter if its DT, Spider Dungeon etc. The mobs go through walls every time after a few hits. I thought it was property since all the maps have the same issue but i changed it with anothers and same thing. Zone too...or maybe i had the wrong files every time. I don't know for sure if its from the client or from the server/maps. Thank you!

I believe you but a fix for it? ?

Hello guys, Can you help with with a solution for this guilds.php? The first guilds are shown in index.php but when i try to enter in top100 i have this incomplete table: [Hidden Content] The guilds.php is: Thanks a lot.

I solved it adding one more TAB to the imports from def to be inside of it. [Hidden Content]

Hello guys, I tried to add time and lv in PM and my client started to crash on login. That's the code: I added at the beggining of the uiwhisper.py too. The syserr have the next error: I tried to use TABs etc and nothing helped. A little help would be awesome. Thanks a lot. I solved it adding one more TAB to the imports from def to be inside of it. [Hidden Content]

is not in locale or icon... I have a root but only have 37kb... Arent all files there. This is the problem. I can't find .py file to change ip. Those files are all from root: And root isnt in INDEX from pack, so i think that is not used.

I have a client and that client havent root in pack. i tried to find it if it is with other name but its not there. I was thinking that maybe the root is hide inside the launcher ? How can i decrypt launcher to gain root files? I need to change ip for using that metin2 client. Thanks!

Can u repost pls ? Broken link. Thanks.

Costum_pack arhive it's from my client but i think that somebody protected it. Isn't from official client. Could someone extract it for me pls?

When i try to unpack the archive "costum_pack" with eternexus i receive a common error in windows with "Send error report / Don't send". When I used Easy File Extract0r by Eddy² 4 epvp the files are extracted without any error but are still incomplete (folders ymir work/pc2/warrior and sura are completly missing) I think that the arhive is protected. May someone decript it for me pls ? Download link: [Hidden Content] Thanks guys!

Two times in the same day i woke up with the website down. I tried acces errorlog from cpanel and i found this: [Wed Nov 26 18:13:24.158974 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $renewBTN in string eq at (eval 2) line 363., referer: [Hidden Content] [Wed Nov 26 18:13:24.158349 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $arhivefl3 in string eq at (eval 2) line 341., referer: [Hidden Content] [Wed Nov 26 18:13:24.158073 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $arhivefl2 in string eq at (eval 2) line 330., referer: [Hidden Content] [Wed Nov 26 18:13:24.157938 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $arhivefl in string eq at (eval 2) line 321., referer: [Hidden Content] [Wed Nov 26 18:13:24.157683 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $delfolder in string eq at (eval 2) line 309., referer: [Hidden Content] [Wed Nov 26 18:13:24.157336 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $delfile in string eq at (eval 2) line 305., referer: [Hidden Content] [Wed Nov 26 18:13:24.156271 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $savess in string eq at (eval 2) line 642., referer: [Hidden Content] [Wed Nov 26 18:13:24.156222 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $btnnew in string eq at (eval 2) line 637., referer: [Hidden Content] [Wed Nov 26 18:13:24.156167 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $chm in string eq at (eval 2) line 634., referer: [Hidden Content] [Wed Nov 26 18:13:24.155904 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of uninitialized value $btnupload in string eq at (eval 2) line 2874., referer: [Hidden Content] [Wed Nov 26 18:13:23.662087 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: BEGIN failed--compilation aborted., referer: [Hidden Content] [Wed Nov 26 18:13:23.662030 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Can't locate String/CRC32.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .)., referer: [Hidden Content] [Wed Nov 26 18:13:23.469300 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Use of implicit split to @_ is deprecated at (eval 2) line 2107., referer: [Hidden Content] [Wed Nov 26 18:13:23.454350 2014] [cgi:error] [pid 893467] [client 176.126.237.217:52436] AH01215: Subroutine GetCookies redefined at (eval 2) line 221., referer: [Hidden Content] [Wed Nov 26 18:13:20.788339 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $renewBTN in string eq at (eval 2) line 363., referer: [Hidden Content] [Wed Nov 26 18:13:20.788155 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $arhivefl3 in string eq at (eval 2) line 341., referer: [Hidden Content] [Wed Nov 26 18:13:20.788101 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $arhivefl2 in string eq at (eval 2) line 330., referer: [Hidden Content] [Wed Nov 26 18:13:20.788046 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $arhivefl in string eq at (eval 2) line 321., referer: [Hidden Content] [Wed Nov 26 18:13:20.787973 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $delfolder in string eq at (eval 2) line 309., referer: [Hidden Content] [Wed Nov 26 18:13:20.787917 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $delfile in string eq at (eval 2) line 305., referer: [Hidden Content] [Wed Nov 26 18:13:20.787305 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $savess in string eq at (eval 2) line 642., referer: [Hidden Content] [Wed Nov 26 18:13:20.787257 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $btnnew in string eq at (eval 2) line 637., referer: [Hidden Content] [Wed Nov 26 18:13:20.787203 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $chm in string eq at (eval 2) line 634., referer: [Hidden Content] [Wed Nov 26 18:13:20.787082 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of uninitialized value $btnupload in string eq at (eval 2) line 2874., referer: [Hidden Content] [Wed Nov 26 18:13:20.562198 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: BEGIN failed--compilation aborted., referer: [Hidden Content] [Wed Nov 26 18:13:20.562143 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Can't locate String/CRC32.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .)., referer: [Hidden Content] [Wed Nov 26 18:13:20.457925 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Use of implicit split to @_ is deprecated at (eval 2) line 2107., referer: [Hidden Content] [Wed Nov 26 18:13:20.448434 2014] [cgi:error] [pid 892507] [client 176.126.237.217:52381] AH01215: Subroutine GetCookies redefined at (eval 2) line 221., referer: [Hidden Content] [Wed Nov 26 18:13:18.295834 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $renewBTN in string eq at (eval 2) line 363., referer: [Hidden Content] [Wed Nov 26 18:13:18.295802 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $arhivefl3 in string eq at (eval 2) line 341., referer: [Hidden Content] [Wed Nov 26 18:13:18.295759 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $arhivefl2 in string eq at (eval 2) line 330., referer: [Hidden Content] [Wed Nov 26 18:13:18.189275 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $arhivefl in string eq at (eval 2) line 321., referer: [Hidden Content] [Wed Nov 26 18:13:18.189242 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $delfolder in string eq at (eval 2) line 309., referer: [Hidden Content] [Wed Nov 26 18:13:18.189199 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $delfile in string eq at (eval 2) line 305., referer: [Hidden Content] [Wed Nov 26 18:13:18.125890 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $savess in string eq at (eval 2) line 642., referer: [Hidden Content] [Wed Nov 26 18:13:18.125841 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $btnnew in string eq at (eval 2) line 637., referer: [Hidden Content] [Wed Nov 26 18:13:18.125786 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $chm in string eq at (eval 2) line 634., referer: [Hidden Content] [Wed Nov 26 18:13:18.125662 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of uninitialized value $btnupload in string eq at (eval 2) line 2874., referer: [Hidden Content] [Wed Nov 26 18:13:17.899148 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: BEGIN failed--compilation aborted., referer: [Hidden Content] [Wed Nov 26 18:13:17.899096 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Can't locate String/CRC32.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .)., referer: [Hidden Content] [Wed Nov 26 18:13:17.795191 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Use of implicit split to @_ is deprecated at (eval 2) line 2107., referer: [Hidden Content] [Wed Nov 26 18:13:17.785841 2014] [cgi:error] [pid 885522] [client 176.126.237.217:52329] AH01215: Subroutine GetCookies redefined at (eval 2) line 221., referer: [Hidden Content] [Wed Nov 26 17:53:13.198871 2014] [:error] [pid 855428] [client 66.249.67.96:38985] File does not exist: /home/npgubluo/public_html/images/index.php It's an website attack? Because after that, somehow all my mysql from serverfile was gone ... Thanks god that i made a backup first l?tt= it's an sql injection or what? Please help!

2089M florin.

So? a little help?

First syserr is from a player of my pserver. My syserr, after i select YES at error ??????? is this: [Hidden Content] Something wrong in files from root i think - game.py, interfaceModule.py, and the most repeted error from uiTaskBar.py. Pls help. Thank you.

[Hidden Content] I have more errors but i think that the last it is the problem.

Hello everybody. I have an error in client (i think it is from client-side). If i spend more time in game i receive an error ????? ???? and the client stopped. What can i do? I can post syserr or any other files you need. Sorry for my language mistakes.

Thanks man. I made another website scan with acunetix and everything looks fine now. No sql injection vulnerability appears.

Ok man. Thanks. Player.php: [Hidden Content]

Seems to be ok...but a solution for my homepage ? i dont want to lose my itemshop.

But how ? I dont have any idea....

I don't think so In picture2 said "char .... and '3'='3 I think here is the problem. How to solve the sql injection? If I select "Detailed information" a lot of informations apears: SQL injection mitigations We believe that web application developers often simply do not think about "surprise inputs", but security people do (including the bad guys), so there are three broad approaches that can be applied here. Sanitize the input It's absolutely vital to sanitize user inputs to insure that they do not contain dangerous codes, whether to the SQL server or to HTML itself. One's first idea is to strip out "bad stuff", such as quotes or semicolons or escapes, but this is a misguided attempt. Though it's easy to point out some dangerous characters, it's harder to point to all of them. The language of the web is full of special characters and strange markup (including alternate ways of representing the same characters), and efforts to authoritatively identify all "bad stuff" are unlikely to be successful. Instead, rather than "remove known bad data", it's better to "remove everything but known good data": this distinction is crucial. Since - in our example - an email address can contain only these characters: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 @.-_+ There is really no benefit in allowing characters that could not be valid, and rejecting them early - presumably with an error message - not only helps forestall SQL Injection, but also catches mere typos early rather than stores them into the database. Be aware that "sanitizing the input" doesn't mean merely "remove the quotes", because even "regular" characters can be troublesome. In an example where an integer ID value is being compared against the user input (say, a numeric PIN): SELECT fieldlist FROM table WHERE id = 23 OR 1=1; -- Boom! Always matches! In practice, however, this approach is highly limited because there are so few fields for which it's possible to outright exclude many of the dangerous characters. For "dates" or "email addresses" or "integers" it may have merit, but for any kind of real application, one simply cannot avoid the other mitigations. Escape/Quotesafe the input Even if one might be able to sanitize a phone number or email address, one cannot take this approach with a "name" field lest one wishes to exclude the likes of Bill O'Reilly from one's application: a quote is simply a valid character for this field. One includes an actual single quote in an SQL string by putting two of them together, so this suggests the obvious - but wrong! - technique of preprocessing every string to replicate the single quotes: SELECT fieldlist FROM customers WHERE name = 'Bill O''Reilly'; -- works OK However, this naive approach can be beaten because most databases support other string escape mechanisms. MySQL, for instance, also permits ' to escape a quote, so after input of '; DROP TABLE users; -- is "protected" by doubling the quotes, we get: SELECT fieldlist FROM customers WHERE name = '''; DROP TABLE users; --'; -- Boom! The expression ''' is a complete string (containing just one single quote), and the usual SQL shenanigans follow. It doesn't stop with backslashes either: there is Unicode, other encodings, and parsing oddities all hiding in the weeds to trip up the application designer. Getting quotes right is notoriously difficult, which is why many database interface languages provide a function that does it for you. When the same internal code is used for "string quoting" and "string parsing", it's much more likely that the process will be done properly and safely. Some examples are the MySQL function mysql_real_escape_string() and perl DBD method $dbh->quote($value). These methods must be used. Use bound parameters (the PREPARE statement) Though quotesafing is a good mechanism, we're still in the area of "considering user input as SQL", and a much better approach exists: bound parameters, which are supported by essentially all database programming interfaces. In this technique, an SQL statement string is created with placeholders - a question mark for each parameter - and it's compiled ("prepared", in SQL parlance) into an internal form. Later, this prepared query is "executed" with a list of parameters: Example in perl $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); Thanks to Stefan Wagner, this demonstrates bound parameters in Java: Insecure version Statement s = connection.createStatement(); ResultSet rs = s.executeQuery("SELECT email FROM member WHERE name = " + formField); // *boom* Secure version PreparedStatement ps = connection.prepareStatement( "SELECT email FROM member WHERE name = ?"); ps.setString(1, formField); ResultSet rs = ps.executeQuery(); Here, $email is the data obtained from the user's form, and it is passed as positional parameter #1 (the first question mark), and at no point do the contents of this variable have anything to do with SQL statement parsing. Quotes, semicolons, backslashes, SQL comment notation - none of this has any impact, because it's "just data". There simply is nothing to subvert, so the application is be largely immune to SQL injection attacks. There also may be some performance benefits if this prepared query is reused multiple times (it only has to be parsed once), but this is minor compared to the enormous security benefits. This is probably the single most important step one can take to secure a web application. Limit database permissions and segregate users In the case at hand, we observed just two interactions that are made not in the context of a logged-in user: "log in" and "send me password". The web application ought to use a database connection with the most limited rights possible: query-only access to the members table, and no access to any other table. The effect here is that even a "successful" SQL injection attack is going to have much more limited success. Here, we'd not have been able to do the UPDATE request that ultimately granted us access, so we'd have had to resort to other avenues. Once the web application determined that a set of valid credentials had been passed via the login form, it would then switch that session to a database connection with more rights. It should go almost without saying that sa rights should never be used for any web-based application. Use stored procedures for database access When the database server supports them, use stored procedures for performing access on the application's behalf, which can eliminate SQL entirely (assuming the stored procedures themselves are written properly). By encapsulating the rules for a certain action - query, update, delete, etc. - into a single procedure, it can be tested and documented on a standalone basis and business rules enforced (for instance, the "add new order" procedure might reject that order if the customer were over his credit limit). For simple queries this might be only a minor benefit, but as the operations become more complicated (or are used in more than one place), having a single definition for the operation means it's going to be more robust and easier to maintain. Note: it's always possible to write a stored procedure that itself constructs a query dynamically: this provides no protection against SQL Injection - it's only proper binding with prepare/execute or direct SQL statements with bound variables that provide this protection. Isolate the webserver Even having taken all these mitigation steps, it's nevertheless still possible to miss something and leave the server open to compromise. One ought to design the network infrastructure to assume that the bad guy will have full administrator access to the machine, and then attempt to limit how that can be leveraged to compromise other things. For instance, putting the machine in a DMZ with extremely limited pinholes "inside" the network means that even getting complete control of the webserver doesn't automatically grant full access to everything else. This won't stop everything, of course, but it makes it a lot harder. Configure error reporting The default error reporting for some frameworks includes developer debugging information, and this cannot be shown to outside users. Imagine how much easier a time it makes for an attacker if the full query is shown, pointing to the syntax error involved. This information is useful to developers, but it should be restricted - if possible - to just internal users.