Closed gre3x closed 5 months ago
@kangarko @ElBananaa @TheIntolerant sorry for the ping, but I believe this should be handled quickly. Let me know if you need any more info
Thanks for reporting. This is strange, because I do recall patching this earlier and checking for non player senders: https://i.imgur.com/mI1oJyA.png
I recommend you set the key Enable_Forward_Command to false in BungeeControl's latest current version. It will turn this feature off completely.
@kangarko will toggling it off on the Bungee also block the interaction on Spigot servers? There is no toggle on the spigot servers to prevent this, so how do I block it on my spigot servers too?
I am assuming that clients can interact with spigot plugins and just because it is not processed on the Bungee plugin, does not mean that the Spigot plugin will not get the packet.
Again, this is on the spigot server, not the Bungee.
And I just checked and I already had the Enable_Forward_Command to false on the Bungee sadly @kangarko
Thanks, you were correct. I'll push a new release tonight.
"/version ChatControlRed" - plugin version
10.23.7
Are you using MySQL?
Yes
Are you using BungeeCord?
Yes
Error log (if applicable)
N/A
"/chc debug" output (strongly recommended)
debug.zip
Information about the issue/bug
Players are able to execute console commands on the server they are currently on through custom clients by sending plugin message packets with the "FORWARD_COMMAND" argument and the server name is the same as the current server.
This is related to Bungee command forwarding, but the Bungee server is not involved I think. This all happens on the spigot server.
I do not have access to these clients or the exact code of how they are doing it, since these are being used my malicious players on my server and not by me, but here is what I think is close to an example of what a dangerous packet sent on an example "Hub1" server would look like:
There is no way to block these right now, even though I don't use the command forwarding feature.
Can you please add a way to disable processing these packets if we don't use the feature? Like if there is a FORWARD_COMMAND packet, then check a config option to see if command forwarding is enabled? Then we can disable it ourselves in the config