Sign in to follow this  
Secrets

Potential duplication exploit

Recommended Posts

We've found a race-condition exploit involving cart which could allow duplication of items.

The rAthena team has released an update that fixes the exploit. rAthena users are advised to update as soon as possible.

Commit link: https://github.com/rathena/rathena/commit/7f772c32d3be201861946bb64720c231828465ac

  • Upvote 3

Share this post


Link to post
Share on other sites

I do not know how to react to this topic. From one side: "thank you very much for your work and the commit", from another side: "hey, is not you just pointed to lines which is bugged for hackers to exploit this bug with 3rd party toolkit, and knowing where exactly the bug is?". Mixed feelings. 

Share this post


Link to post
Share on other sites

There is no point of keeping such things secret. Do never rely on security by obscurity.

Update your server and you are fine.

  • Upvote 3

Share this post


Link to post
Share on other sites
Posted (edited)
32 minutes ago, Normynator said:

There is no point of keeping such things secret. Do never rely on security by obscurity.

Update your server and you are fine.

I hope you're right. Because I remember when leaking critical problems to eathena announces category (on forum) gives only negative effects and critical exploits popularized by ea stuff and used very frequently almost on all servers for months without any problems by simple players, while administrators did not upgrade their emulators or did not even simply knew about these exploits for dozens of reasons (customizations which make not compatible latest svn revision with their own changes (too much work to make it compatible (exactly like it is now)). Hope nobody will be affected by this bug. 🤦‍♀️

Edited by anacondaq

Share this post


Link to post
Share on other sites
5 minutes ago, anacondaq said:

I hope you're right. Because I remember when leaking critical problems to eathena announces gives only negative effects and critical exploits popularized by ea stuff and used very frequently almost on all servers for months without any problems, while administrators did not upgrade their emulators or did not even simply knew about these exploits for dozens of reasons (customizations which make not compatible latest svn revision with their own changes (too much work to make it compatible (exactly like it is now)). Hope nobody will be affected by this bug. 😅

i would agree that it would be good to leave it secret , but for me i am always here , checking everything

most of the server owners wont really know about it , and they will have the bug for long time without known about it at all , it would be too late to fix it in their server

so i see the point of the announcement, even if it's not good for me personally till i fix it in the servers that i work for

it's still good for the overall community

  • Upvote 1

Share this post


Link to post
Share on other sites
Posted (edited)

@sader1992 yea, I understand this. That why I have so mixed feeling. Especially when I did a report about many dupes in the past and almost all of them secretly fixed without any noize. 😀

Edited by anacondaq

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this