release Fix SQL Injection Vulnerabilities in Messenger & Guild Module

[Black_Rose©]

Today, multiple servers within the Metin2 community were targeted by attacks leveraging a zero-day exploit found in the game’s source code. Below is a guide to help you patch SQL injection vulnerabilities in both the Messenger and Guild systems.

Steps to Secure Your Code

Step 1: Update MessengerManager

Open the messenger_manager.cpp file and locate the MessengerManager::RemoveFromList function.

Replace it with the following implementation:

This is the hidden content, please

• Sign In
• or
• Sign Up

Step 2: Modify Guild Creation Logic

Next, navigate to the guild_manager.cpp file and find the CGuildManager::CreateGuild function.

Search for the lines that include:

This is the hidden content, please

• Sign In
• or
• Sign Up

or

This is the hidden content, please

• Sign In
• or
• Sign Up

Above this line, insert the following code to handle escaping the guild name properly:

This is the hidden content, please

• Sign In
• or
• Sign Up

Step 3: Update SQL Queries

Additionally, replace:

This is the hidden content, please

• Sign In
• or
• Sign Up

with:

This is the hidden content, please

• Sign In
• or
• Sign Up

Doing this enhances security by ensuring that user input is properly sanitized before being used in SQL queries.

Code Modernization

Make sure to transition from using std::auto_ptr to std::unique_ptr if you're targeting C++11 standards or higher, as auto_ptr is deprecated.

Conclusion

Implementing these changes will significantly increase the security of your Messenger and Guild systems against SQL injection attacks. Protecting your server from such vulnerabilities is crucial for maintaining a secure gaming environment.