Closed ProJakob closed 1 week ago
This is already being fixed and tested.
Maybe put this into your consideration PR @Ajneb97
The exploit was being abused by me and my friend for a few weeks now so it isn't "potential" but still nice that you're warning people.
Sending a plugin message to the channel
ecb:channel
with the UTF-String contentsActionsSubChannel
andconsole_command: op %player%
will result in the plugin running the untrusted command from the packet. This needs bungeecord to be enabled in the spigot.yml file.Potential fix: Simply blocking any messages coming on that channel from a client connection via the proxy (Velocity, Bungeecord) would resolve this issue.