-
-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Fix the bungee channel messaging possible exploit #205
Comments
This comment has been minimized.
This comment has been minimized.
So I checked again. Only Bungee reacts to this command. In fact it was not cancelled. However it fetches the receiver of the plugin message. It then unverified casts it to be the Player (as if the message was sent by the server to the player) and then executes the command. So yes the plugin in fact starts to reading the malicious command by a client, but you would get a |
Relevant code: Line 44 in 88587c5
|
I checked back if any earlier versions had this issue, but this wasn't the case. Nevertheless good catch. I'm thinking about dropping it or at least whitelisting it's functionality, because it allows arbitrary command executing if something really goes wrong. |
Yep, @Malachiel87 contacted me too and I just double checked, this exploit has never been possible to put into practice |
Thank you, i gonna try the fix tommorow <3 |
issue seem patched, before was possible also to crash the bungeecord (a friend of mine that is developer tested on his server, it was able to crash the bungee, instead on latest release is not doing anything :), good job and thank you <3 |
I'm still interested in how this can be exploited. It's important if there really is an issue that the information about is disclosed and publicly presented in detail. This is about transparency and in order to guarantee that systems will be patched promptly. Maybe message me in private like in Discord or Spigot for such security relevant topics. |
Friend request sent @games647 ! |
What behaviour is observed:
[//]: A hacker after sending comand to bungee by using a pluigin, told that i am vulnerable to this attack by using the bungee channel message "changeskin:cmd-fw " and command forward too with channel "forwardcommand"
What behaviour is expected:
[//]: # Get this fixed and usable only from server and don't by users with hacked clients
This exploit make possible to any user to send console comands to bungee
The text was updated successfully, but these errors were encountered: