search

Commoble / hyperbox

A minecraft forge mod that adds a box that's smaller on the outside than it is on the inside
MIT License
3 stars 1 forks source link

Hyperbox unchecked folder path vulnerability #21

Closed YukiSoha closed 6 months ago

YukiSoha commented 6 months ago

Its possible to create folders outside the hyperbox world directory by using "../" or absolute path operators. This makes it possible for any player with access to a hyperbox to create a folder on the host system in any arbitrary location Additionally, its possible to overwrite other dimensions using their name. World folders should never be created using user input, instead i recommend creating a numeric id/uuid/or random string and storing that inside the hyperbox nbt data so that it can locate the world folder.

image image

Commoble commented 6 months ago

I used to use random strings but I changed it to match the name of the hyperbox at the request of server ops to make it easier to identify which hyperbox dimension folder is which

But yeah, it should be stricter and not allow . in the ids. Can probably make it generate a legit-but-readable id from the display name instead of letting the user pick both the id and the name. Should be able to push fixes out later tonight.

YukiSoha commented 6 months ago

Best thing is to just whitelist A-Z/a-z/0-9 and replace all other characters with _ or something in that case

Commoble commented 6 months ago

Fixed in 1.20.4-5.0.1.0. Also backported fix to 1.20.1-4.0.2.0.