GHSA-J5QG-W9JG-3WG3
Vulnerability from github – Published: 2021-12-16 18:53 – Updated: 2021-12-16 15:47
VLAI?
Summary
Inability to de-op players if listed in ops.txt with non-lowercase letters
Details
Impact
Originally reported in iTXTech/Genisys#1188
PotterHarry98
potterharry98
deop PotterHarry98
will remove potterharry98 from the ops.txt but not PotterHarry98.
Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match:
https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449
This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters.
Patches
4d37b79ff7f9d9452e988387f97919a9a1c4954e
Workarounds
This can be easily addressed by removing the offending lines from ops.txt manually.
For more information
If you have any questions or comments about this advisory: * Open an issue in pmmp/PocketMine-MP * Email us at team@pmmp.io
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-12-16T15:47:47Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nOriginally reported in iTXTech/Genisys#1188\n\n```txt\nPotterHarry98\npotterharry98\n```\n\n`deop PotterHarry98`\n\nwill remove `potterharry98` from the ops.txt but not `PotterHarry98`.\n\nOperator permissions are checked using `Config-\u003eexists()` with `lowercase=true`, which will result in a match:\nhttps://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449\n\nThis means that it\u0027s possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters.\n\n### Patches\n4d37b79ff7f9d9452e988387f97919a9a1c4954e\n\n### Workarounds\nThis can be easily addressed by removing the offending lines from ops.txt manually.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [pmmp/PocketMine-MP](https://github.com/pmmp/PocketMine-MP)\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)\n",
"id": "GHSA-j5qg-w9jg-3wg3",
"modified": "2021-12-16T15:47:47Z",
"published": "2021-12-16T18:53:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-j5qg-w9jg-3wg3"
},
{
"type": "WEB",
"url": "https://github.com/iTXTech/Genisys/issues/1188"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/commit/4d37b79ff7f9d9452e988387f97919a9a1c4954e"
},
{
"type": "PACKAGE",
"url": "https://github.com/pmmp/PocketMine-MP"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/blob/4.0.3/changelogs/4.0.md#403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inability to de-op players if listed in ops.txt with non-lowercase letters"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…