search

DecentSoftware-eu / DecentHolograms

A lightweight but powerful hologram plugin with many features and configuration options.
https://www.spigotmc.org/resources/96927/
GNU General Public License v3.0
211 stars 101 forks source link

dssa #180

Closed PvPWorldPL closed 10 months ago

PvPWorldPL commented 11 months ago

Confirmation

Type

Plugin Bug

What happens?

I have identified a potential Local File Inclusion (LFI) exploit in the [DecentHolograms] plugin. vulnerable to this exploit. Below are the details of the exploit along with the steps to reproduce:

Expected Behaviour

I expected DecentHolograms to securely handle holographic text creation without exposing vulnerabilities to Local File Inclusion. Specifically, I expected that the plugin would properly validate and sanitize input, preventing unauthorized access to files outside the plugin's directory.

How to Reproduce

  1. Install DecentHolograms version [version] (any version under 2.2.7) on a Spigot server.
  2. Execute the following commands in-game: 
    /dhologram create a
/dhologram readtext ../../LuckPerms/config.yml

    Replace ../../LuckPerms/config.yml with the path to any file you want to read.

Additional Info

This exploit allows an attacker to perform Local File Inclusion, potentially accessing sensitive server files. It is crucial to update DecentHolograms to the latest version (2.2.7 or higher) to mitigate this vulnerability. Additionally, I recommend reviewing and securing the plugin's code to prevent similar issues in the future.

Andre601 commented 11 months ago

You report an issue for a version that is over a year old by this point.

Please only report issues and exploits that are actually relevant to the latest release - currently 2.8.6 - to not clog up the issue tracker with redundant posts.