Security vulnerability

[Zonni 224]

Please, move this post into right pinned topic.

Name: I don't know how to name it. Sub-server maybe?

Release date: I discovered this in 2010.

Affects: all game revisions

Symptoms: It won't show. You can discover this only via reading config and looking for unknown IP.

Causes: Someone can connect to your db cache server. Can login without know password into everyone's account (attacker must know id from account->account->id). Attacker uses login&password from his own server, but he's logging into victim account. Attacker can do whatever he/she want (login into GM account too).

Fix: Reject all connections to your DB port. Every connections except localhost (if you haven't other servers which must connect into this port).

Actually is harder to make this work because mess with packets but it's still possible if someone don't take off db port from public.

[Endymion 301]

Somebody used this on my server and... Attacker had character whose account_id don't exist in my database.

fix?

BIND_IP: 127.0.0.1

in db config.

I don't know how use this, so can't give you more information.

[Zonni 224]

@Endymion, you're right because attacker uses account_id from his server, and if doesn't match with attacked server it's creating new char on attacked server but using account_id from attacker server.

This is madness, any person doesn't want to have similar situation on server so protect your DB port via IPFW (if you're using more than one dedicated server) or Endymion's method (if you have only one dedicated server).