Closed FinlayDaG33k closed 8 years ago
@FinlayDaG33k I'm not entirely sure users would be able to 'send commands' to the server. Reason is the handshake goes from MC server -> WordPress server and relies solely on the URL the admin has put in. The key itself, is ONLY to verify the server. In no way throughout the code, is that key used to send/add/edit commands, a hacker would have to play 'man in the middle' and essentially mimic the web server while being attached to the MC server at the server level ( in the datacenter )
Still, your point is valid, I'm not sure why we were sending back the actual DB key in the response, maybe it was a debug thing?
Fixed a security vulnerability where the server key would showup in
?woo_minecraft=check&key=SOMEINVALIDKEY
opening a possibility for people to send commands to the Minecraft server trough their own wordpress site (eg. making the player OP)