search

pmmp / PocketMine-MP

A server software for Minecraft: Bedrock Edition in PHP
https://pmmp.io
GNU Lesser General Public License v3.0
3.28k stars 1.56k forks source link

TextPacket vulnerabilities #4974

Closed StefanFox-Dev closed 2 years ago

StefanFox-Dev commented 2 years ago

Issue description

Steps to reproduce the issue

  1. Turn on the bot through a proxy
  2. We go to the server with a proxy
  3. We send the package "TextPacket" count message: 99999999999/second.
  4. Ready! The server lay down for 30 minutes, nothing works, there is no crash and it will only save reboot VDS

OS and versions

Plugins

Plugins null.

Crashdump, backtrace or other files

No crash server.

FIX PROBLEM:

`public function onCrashGuard(DataPacketReceiveEvent $ev){

if($ev->getPacket() instanceof TextPacket){ if(mb_strlen($ev->getPacket()->message) > 500){ var_dump(mb_strlen($ev->getPacket()->message)); $ev->getOrigin()->getPlayer()->kick('Off bot please!'); $ev->cancel(); } } }`

BOT:

o0sqFLqevnexKfTqdyvLns309KSVPTdsqjRKZVEGKHy5m05YHldxZvCUxbhd0RPDCUgVRtMLzJzyomwWgxydpCpp A_6JlISh_rMmgT6GjwI5UHEStOceVlhoKBA0yEtyEn6n4HeQOD24aUvLM-a1KNzy4060LBWw_bAQENd7qPf7L5s4

PROBLEM:

Stupidly the server is frozen, it works everywhere, any server! Therefore, I leaked a fix to you :) XZ5m_i5oOr3FC3x10KJSgEE6PgVfQHo6fgWzY72Ipi-uq9Usf9kARnAuk_KSebNPnras0jwFD7C-Ne7OMex33W8H

dktapps commented 2 years ago

well done, you just advertised this "vulnerability" to 300 people ...

StefanFox-Dev commented 2 years ago

How else could it be written?

Nerahikada commented 2 years ago

See SECURITY.md

StefanFox-Dev commented 2 years ago

It's clear

StefanFox-Dev commented 2 years ago

Issue description

  • Actual result: crash

Steps to reproduce the issue

  1. Turn on the bot through a proxy
  2. We go to the server with a proxy
  3. We send the package "TextPacket" count message: 99999999999/second.
  4. Ready! The server lay down for 30 minutes, nothing works, there is no crash and it will only save reboot VDS

OS and versions

  • PocketMine-MP: 0.0.1 - 4.2.9
  • PHP: 7.0.1 - 8.0.17
  • Using JIT: yes/no
  • Server OS: Ubuntu 20.04
  • Game version: Android/iOS/Win10/Xbox/PS4/Switch

Plugins

Plugins null.

Crashdump, backtrace or other files

No crash server.

FIX PROBLEM:

`public function onCrashGuard(DataPacketReceiveEvent $ev){

if($ev->getPacket() instanceof TextPacket){ if(mb_strlen($ev->getPacket()->message) > 500){ var_dump(mb_strlen($ev->getPacket()->message)); $ev->getOrigin()->getPlayer()->kick('Off bot please!'); $ev->cancel(); } } }`

BOT:

o0sqFLqevnexKfTqdyvLns309KSVPTdsqjRKZVEGKHy5m05YHldxZvCUxbhd0RPDCUgVRtMLzJzyomwWgxydpCpp A_6JlISh_rMmgT6GjwI5UHEStOceVlhoKBA0yEtyEn6n4HeQOD24aUvLM-a1KNzy4060LBWw_bAQENd7qPf7L5s4

PROBLEM:

Stupidly the server is frozen, it works everywhere, any server! Therefore, I leaked a fix to you :) XZ5m_i5oOr3FC3x10KJSgEE6PgVfQHo6fgWzY72Ipi-uq9Usf9kARnAuk_KSebNPnras0jwFD7C-Ne7OMex33W8H

dktapps commented 2 years ago

It's too late for that. Anyone receiving email notifications now knows about this problem, as well as anyone paying attention to our Discord server.