Jump to content

Potential duplication exploit


Secrets

Recommended Posts


  • Group:  Developer
  • Topic Count:  36
  • Topics Per Day:  0.01
  • Content Count:  587
  • Reputation:   431
  • Joined:  01/26/16
  • Last Seen:  

We've found a race-condition exploit involving cart which could allow duplication of items.

The rAthena team has released an update that fixes the exploit. rAthena users are advised to update as soon as possible.

Commit link: https://github.com/rathena/rathena/commit/7f772c32d3be201861946bb64720c231828465ac

  • Upvote 3
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  42
  • Topics Per Day:  0.01
  • Content Count:  1096
  • Reputation:   344
  • Joined:  02/26/12
  • Last Seen:  

I do not know how to react to this topic. From one side: "thank you very much for your work and the commit", from another side: "hey, is not you just pointed to lines which is bugged for hackers to exploit this bug with 3rd party toolkit, and knowing where exactly the bug is?". Mixed feelings. 

Link to comment
Share on other sites


  • Group:  Developer
  • Topic Count:  7
  • Topics Per Day:  0.00
  • Content Count:  292
  • Reputation:   199
  • Joined:  05/03/13
  • Last Seen:  

There is no point of keeping such things secret. Do never rely on security by obscurity.

Update your server and you are fine.

  • Upvote 3
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  42
  • Topics Per Day:  0.01
  • Content Count:  1096
  • Reputation:   344
  • Joined:  02/26/12
  • Last Seen:  

32 minutes ago, Normynator said:

There is no point of keeping such things secret. Do never rely on security by obscurity.

Update your server and you are fine.

I hope you're right. Because I remember when leaking critical problems to eathena announces category (on forum) gives only negative effects and critical exploits popularized by ea stuff and used very frequently almost on all servers for months without any problems by simple players, while administrators did not upgrade their emulators or did not even simply knew about these exploits for dozens of reasons (customizations which make not compatible latest svn revision with their own changes (too much work to make it compatible (exactly like it is now)). Hope nobody will be affected by this bug. ?‍♀️

Edited by anacondaq
Link to comment
Share on other sites


  • Group:  Content Moderator
  • Topic Count:  55
  • Topics Per Day:  0.02
  • Content Count:  1676
  • Reputation:   702
  • Joined:  12/21/14
  • Last Seen:  

5 minutes ago, anacondaq said:

I hope you're right. Because I remember when leaking critical problems to eathena announces gives only negative effects and critical exploits popularized by ea stuff and used very frequently almost on all servers for months without any problems, while administrators did not upgrade their emulators or did not even simply knew about these exploits for dozens of reasons (customizations which make not compatible latest svn revision with their own changes (too much work to make it compatible (exactly like it is now)). Hope nobody will be affected by this bug. ?

i would agree that it would be good to leave it secret , but for me i am always here , checking everything

most of the server owners wont really know about it , and they will have the bug for long time without known about it at all , it would be too late to fix it in their server

so i see the point of the announcement, even if it's not good for me personally till i fix it in the servers that i work for

it's still good for the overall community

  • Upvote 1
Link to comment
Share on other sites


  • Group:  Members
  • Topic Count:  42
  • Topics Per Day:  0.01
  • Content Count:  1096
  • Reputation:   344
  • Joined:  02/26/12
  • Last Seen:  

@sader1992 yea, I understand this. That why I have so mixed feeling. Especially when I did a report about many dupes in the past and almost all of them secretly fixed without any noize. ?

Edited by anacondaq
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...