search

WooMinecraft / woominecraft-wp

A FREE Minecraft Donation Plugin for WordPress designed to work in conjunction with WooMinecraft for Bukkit/Spigot & WooCommerce to allow the purchasing of virtual items in MineCraft and have them delivered to the servers.
https://wordpress.org/plugins/woominecraft/
GNU General Public License v2.0
31 stars 14 forks source link

Fixed security vulnerability #15

Closed FinlayDaG33k closed 8 years ago

FinlayDaG33k commented 8 years ago

Fixed a security vulnerability where the server key would showup in ?woo_minecraft=check&key=SOMEINVALIDKEY opening a possibility for people to send commands to the Minecraft server trough their own wordpress site (eg. making the player OP)

JayWood commented 8 years ago

@FinlayDaG33k I'm not entirely sure users would be able to 'send commands' to the server. Reason is the handshake goes from MC server -> WordPress server and relies solely on the URL the admin has put in. The key itself, is ONLY to verify the server. In no way throughout the code, is that key used to send/add/edit commands, a hacker would have to play 'man in the middle' and essentially mimic the web server while being attached to the MC server at the server level ( in the datacenter )

Still, your point is valid, I'm not sure why we were sending back the actual DB key in the response, maybe it was a debug thing?