RevCMS/PlusEMU Extra Security

[Meap]

All Credits for this go to @Damien
I have gotten permission from him to post this

For a better more secure Authenticate you can leave the contents in "SSOTicketEvent.cs" as they are (the check for the empty string wont be needed, but you can keep it if you choose to).

In UserDataFactory.cs look for the function:

public static UserData GetUserData(string SessionTicket, out byte errorCode)

Change the first query:

dbClient.SetQuery("SELECT `id`,`username`,`rank`,`motto`,`look`,`gender`,`last_online`,`credits`,`activity_points`,`home_room`,`block_newfriends`,`hide_online`,`hide_inroom`,`vip`,`account_created`,`vip_points`,`machine_id`,`volume`,`chat_preference`,`focus_preference`, `pets_muted`,`bots_muted`,`advertising_report_blocked`,`last_change`,`gotw_points`,`ignore_invites`,`time_muted`,`allow_gifts`,`friend_bar_state`,`disable_forced_effects`,`allow_mimic`,`rank_vip` FROM `users` WHERE `auth_ticket` = @sso LIMIT 1");

To This

dbClient.SetQuery(
    "SELECT users.id,users.username,users.rank,users.motto,users.look,users.gender,users.last_online,users.credits,users.activity_points,users.home_room,users.block_newfriends,users.hide_online,users.hide_inroom,users.vip,users.account_created,users.vip_points,users.machine_id,users.volume,users.chat_preference,users.focus_preference,users.pets_muted,users.bots_muted,users.advertising_report_blocked,users.last_change,users.gotw_points,users.ignore_invites,users.time_muted,users.allow_gifts,users.friend_bar_state,users.disable_forced_effects,users.allow_mimic,users.rank_vip " +
    "FROM users " +
    "JOIN user_auth_ticket " +
    "ON users.id = user_auth_ticket.user_id " +
    "WHERE user_auth_ticket.auth_ticket = @sso " +
    "LIMIT 1"
);

Then further down look for:

dbClient.RunQuery("UPDATE `users` SET `online` = '1', `auth_ticket` = '' WHERE `id` = '" + UserId + "' LIMIT 1");

and change it to:

dbClient.RunQuery("UPDATE `users` SET `online` = '1' WHERE `id` = '" + UserId + "' LIMIT 1");
dbClient.RunQuery("DELETE FROM `user_auth_ticket` WHERE `user_id` = '" + UserId + "' LIMIT 1");

Inside PlusEnviroment.cs look for this function:

public static void PerformShutDown()

Change

dbClient.RunQuery("UPDATE `users` SET online = '0', `auth_ticket` = NULL");

To this:

dbClient.RunQuery("TRUNCATE `user_auth_ticket`");
dbClient.RunQuery("UPDATE `users` SET online = '0'");

Finally run this database query

-- ----------------------------
-- Table structure for `user_auth_ticket`
-- ----------------------------
DROP TABLE IF EXISTS `user_auth_ticket`;
CREATE TABLE `user_auth_ticket` (
  `user_id` int(11) NOT NULL,
  `auth_ticket` varchar(60) NOT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Now for the RevCMS Part
go to class.users.php and search for the Create SSO auth_ticket section and replace it all with this

final public function createSSO($k)
{  
  global $engine;
  $sessionKey = 'RevCMS-' . rand(9, 9999999).'/'.substr(sha1(time()).'/'.rand(9,9999999).'/'.rand(9,9999999).'/'.rand(9,9999999),0,33);
 
  if($engine->num_rows("SELECT * FROM user_auth_ticket WHERE user_id = '" . $k . "' LIMIT 1") > 0) {
   $engine->query("UPDATE user_auth_ticket SET auth_ticket = '" . $sessionKey . "' WHERE user_id = '" . $k . "'");
  } else {
   $engine->query("INSERT INTO user_auth_ticket (user_id, auth_ticket) VALUES ('" . $k . "', '" . $sessionKey ."')");
  }
  return $sessionKey;
  unset($sessionKey);
}

Then go to your class.core.php and look for the case "client";
and replace it with this

$users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);
$template->setParams('sso', $users->createSSO($_SESSION['user']['id']));

This way you'll only be creating a session ticket when the user connects to the hotel and removing it straight after (not setting the ticket to null or empty), thus making it impossible to "randomly" sign in onto other users accounts, unless you manually set the ticket ofc

All you need to do is change how your SSO tickets get created to insert them into that table and you're good to go.

Hopefully this helped.

 

[Brad]

Thread has been closed as there is already a correct fix for this.
credits to Sledmore for the fix.
"

So, for the SSO issue.

It's nothing big, but a silly mistake. There is no check for null SSO's, which doesn't sound dangerous but the first couple accounts are usually staff accounts.

If a user tries to login w/ no SSO they'll get one of the first accounts, had someone try it on Habboon today, figured out the issue yesterday, just didn't get round to rebooting until I got home.

To fix it's as simple as:

Go to SSOTicketEvent.cs

Replace it all with:
PHP:
public class SSOTicketEvent : IPacketEvent
{
public void Parse(GameClient Session, ClientPacket Packet)
{
if (Session == null || Session.RC4Client == null || Session.GetHabbo() != null)
return;

string SSO = Packet.PopString();
if (string.IsNullOrEmpty(SSO) || SSO.Length < 15)
return;

Session.TryAuthenticate(SSO);
}
}
The length is up to you, I just always have more than 15 length.

 

[Sledmore]

Thread re-opened as each to their own, there is always more than one way to achieve success.

I've seen this requested before anyone (including myself) was aware of the no empty auth ticket check, just purely based on their preference & database structure preference.

Re-opened for those with questions or who required help. Argumentative replies will be dealt with a lengthy infraction.

 

[Damien]

If anyone plans on using this and needs help with the creation of their SSO (on the CMS). Just send me a PM and I'll help you sort it out.

 

[stawdevs]

Damien i need for HabboCMS its a french CMS do you got facebook or skype ?

 

[TheJill]

I need for HarticoCMS
 
The link of my cms if someone can do it , Thanks peoples :

You must be registered for see links

 

[Filipias]

For me it does not create a sso ticket, it just deletes it so you can login once

 

[MayoMayn]

$_SERVER['REMOTE_ADDR'] doesnt work for servers setup with CloudFlare as it uses the local machines IP instead of the users. Dunno why people bother using CF anyway.

Sent from my SM-G928F using Tapatalk

 

[EmMeX]

$_SERVER['REMOTE_ADDR'] doesnt work for servers setup with CloudFlare as it uses the local machines IP instead of the users. Dunno why people bother using CF anyway.

Sent from my SM-G928F using Tapatalk

Use this instead:

$users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['HTTP_CF_CONNECTING_IP']);

 

[MayoMayn]

Use this instead:

$users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['HTTP_CF_CONNECTING_IP']);

I dont use CF so couldn't care less, I'm just making a statement.

Sent from my SM-G928F using Tapatalk