bartico6
commented
3 years ago Regarding this commit: doesn't adding the security advisory link somewhat defeat the purpose of having the plugin names hidden from public view?
Closed hakusaro closed 3 years ago
bartico6
commented
3 years ago Regarding this commit: doesn't adding the security advisory link somewhat defeat the purpose of having the plugin names hidden from public view?
hakusaro
commented
3 years ago @bartico6 the security advisory links are a time delay thing. They’re not going to be public until after the server binary is updated. There are also other reasons for this, but I don’t want to put all of those reasons in the public record. It’s not a hard requirement — it’s one layer.
During plugin review, it was discovered that AutoRegister <= 1.2.0 contains code that automatically creates user accounts with predictable passwords. The passwords are using low entropy material (the IP address of the currently connecting client, the name of the current player, and the UUID) and as a result can be easily obtained and forged. On public servers who use AutoRegister, passwords for the saved accounts are stored in plaintext in the database, because the character name, recent IP, and UUID are all stored in the database.
Because this plugin generates passwords which defeat the security of TShock, and which cannot be disabled simply by turning UUID login off, all passwords generated on public servers using this plugin must be changed.
This change to TSAPI prevents the server from booting if the vulnerable plugin is present, in order to stop server admins from unwittingly running a knowingly dangerous plugin.