search

Overwrite987 / UltimateServerProtector

Incredibly lightweight plugin, that add an "admin-password" to your server.
GNU Affero General Public License v3.0
14 stars 7 forks source link

Server selector bypass #14

Closed TANJIL87 closed 11 months ago

TANJIL87 commented 11 months ago

I installed this in my lobby, but the problem is that the password security can easily be bypassed using the server selector. Solution: Inventory will be empty; you can't use any hub items until you log in with the password. AS well as can't execute bungee command such as /server

Overwrite987 commented 11 months ago

I installed this in my lobby, but the problem is that the password security can easily be bypassed using the server selector. Solution: Inventory will be empty; you can't use any hub items until you log in with the password. AS well as can't execute bungee command such as /server

The easises solution is to stop using plugins that can do whatever they want or force the player to do everything they can like they have no password. I can't make a plugin that would prohibit another plugin from performing its actions when clicking on an item. It's just not possible. Also, I just CAN'T prohibit the use of proxy server commands on the backend server, because this is literally how it works.

Of course, I will try to make the inventory opened by the player immediately close, but this will absolutely not solve the problem of circumvention, due to the fact that the moment the inventory is open, the player will be able to have time to click on the item.

The best solution I can give you for now is not to use your existing plugin to choose a server. Make a menu on any custom GUI plugin and make an item that will execute the command by which the player will be able to open this menu. Thus, the plugin will block the input of this command and until the player enters the password, he will not be able to do anything.

Overwrite987 commented 11 months ago

I installed this in my lobby, but the problem is that the password security can easily be bypassed using the server selector. Solution: Inventory will be empty; you can't use any hub items until you log in with the password. AS well as can't execute bungee command such as /server

The easises solution is to stop using plugins that can do whatever they want or force the player to do everything they can like they have no password. I can't make a plugin that would prohibit another plugin from performing its actions when clicking on an item. It's just not possible. Also, I just CAN'T prohibit the use of proxy server commands on the backend server, because this is literally how it works.

Of course, I will try to make the inventory opened by the player immediately close, but this will absolutely not solve the problem of circumvention, due to the fact that the moment the inventory is open, the player will be able to have time to click on the item.

The best solution I can give you for now is not to use your existing plugin to choose a server. Make a menu on any custom GUI plugin and make an item that will execute the command by which the player will be able to open this menu. Thus, the plugin will block the input of this command and until the player enters the password, he will not be able to do anything.

Ok maybe i wasnit right when i said that i cannot make other plugins tp not to do stuff. at least I was able to achieve the desired result in the case of ServerSelectorX

Overwrite987 commented 11 months ago

You can try using dev build from https://github.com/Overwrite987/UltimateServerProtector/actions/runs/6725277789 But dont forget to update your config

Overwrite987 commented 11 months ago

looks like fixed