search

LOOHP / ImageFrame

Put images on maps and walls!
https://www.spigotmc.org/resources/106031/
GNU General Public License v3.0
50 stars 14 forks source link

/imageframe delete user:map allows any user to delete any map. #54

Closed IngeniousCoder closed 6 months ago

IngeniousCoder commented 6 months ago

[Fri 00:34:23 INFO Server/PlayerConnection] XtremeCoder issued server command: /imageframe delete Hightech_TR:test

The command still went through and I was able to delete another user's Map despite not owning the map nor have OP / admin permission.

  [Fri 00:35:36 INFO ] [LP] Permission information for imageframe.delete:
  [Fri 00:35:36 INFO ] [LP] - xtremecoder does not have imageframe.delete set.
  [Fri 00:35:36 INFO ] [LP] - xtremecoder does not inherit imageframe.delete.
  [Fri 00:35:36 INFO ] [LP] 
  [Fri 00:35:36 INFO ] [LP] Permission check for imageframe.delete:
  [Fri 00:35:36 INFO ] [LP]     Result: true
  [Fri 00:35:36 INFO ] [LP]     Processor: bukkit.DefaultPermissionMapProcessor
  [Fri 00:35:36 INFO ] [LP]     Cause: None
  [Fri 00:35:36 INFO ] [LP]     Context: (dimension-type=overworld) (discordsrv:boosting=false) (discordsrv:linked=true) (discordsrv:role=tourist) (discordsrv:role_id=1231253048534241321) (discordsrv:server_id=1198258905420136478) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=creative) (world=world)
  [Fri 00:35:54 INFO ] [LP] Permission information for imageframe.admindelete:
  [Fri 00:35:54 INFO ] [LP] - xtremecoder does not have imageframe.admindelete set.
  [Fri 00:35:54 INFO ] [LP] - xtremecoder does not inherit imageframe.admindelete.
  [Fri 00:35:54 INFO ] [LP] 
  [Fri 00:35:54 INFO ] [LP] Permission check for imageframe.admindelete:
  [Fri 00:35:54 INFO ] [LP]     Result: false
  [Fri 00:35:54 INFO ] [LP]     Processor: bukkit.PermissionMapProcessor
  [Fri 00:35:54 INFO ] [LP]     Cause: None
  [Fri 00:35:54 INFO ] [LP]     Context: (dimension-type=overworld) (discordsrv:boosting=false) (discordsrv:linked=true) (discordsrv:role=tourist) (discordsrv:role_id=1231253048534241321) (discordsrv:server_id=1198258905420136478) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=creative) (world=world)

Please rectify, this is a security issue.

Reporting through here as there is no SECURITY.MD configured.

LOOHP commented 6 months ago

Did you have the imageframe.adminbypass permission or were you given permission to the image map by the owner? imageframe.admindelete controls permission for the /imageframe admindelete command and should be unrelated to the /imageframe delete command

IngeniousCoder commented 6 months ago

No, I do not have the permission given nor was I granted the permission by the map owner.

My server was attacked by an unknown individual as well, who did not have any permissions nor could have had permissions given to him.

I have subsequently reproduced the issue myself and the logs attached are of me reproducing it myself.

LOOHP commented 6 months ago

Do you mind giving build #88 a try and see if it is fixed?

IngeniousCoder commented 6 months ago

Apologies I'm quite busy right now, I will provide a written update once possible.

I notice the permission default you changed. Could be that. Didn't think that permission would be a default True.

IngeniousCoder commented 6 months ago

Tested, Validated working on my production server. Thanks!