Glitch that allowes players to op themselfes?


#1

I know this existed, but i thought it got fixed?
I just took a look in my server log this morning:

[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:44] [Server thread/INFO]: [sk0rp1s] hi
[07:44:56] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]

He ended up in my ban list and i blocked the op command entirely now, but how was he able to do that? I have to admit that the forge/sponge version i use are not the newest (still work on updating my plugins), but does somebody know if anything similar got fixed in the past weeks? :smile:
(Sponge: 1.8-1499-2.1DEV-584, Forge: 1499)


#2

I'd have a look at the permission management first. If your default group has OP permission, then every new user can /op themselves and gain further rights.


#3

I programmed this permission management myself, and testing it with a second account all the time ... nope! Definitely no! :smiley:


#4

What does your permission plugin return when queried for "minecraft.command.op"? If the registered PermissionService allows that permission then people can use the /op command


#5

For the sake of argument, could you supply the source code for your permission plugin?


#6

Hmm. I got a thought here:
Since i started early with the development of that plugin it is currently not using Sponges Permission-system
It literally reads and cancels command events. (I know its a bad way, don't hate me ill fix it :smiley: ) Could that be an issue? That is still a version without Cause's so maybe they are able to perform a command without them beeing the CommandSouce? I need to check that...


#7

How come you don't Sponges Permission API?
I think that might be your problem :wink:


#8

Even if this is a bad way, it should work, shouldn't it? ^^
Well but you're right. Ill first try to somehow reproduce that glitch with a better Permission system.
So just ignore this topic for now :smile:
Thanks for suggestions.


#9

I think I found the issue.

This line:

if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

must be:

if (evt.getSource() instanceof Player && !hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

#10

No, this method returning means it ignores the Command-execution and doesn't cancel it. :smiley: So if the Method returns there, the command gets executed!


#11

The problem is that you only cancelling the event if the command is invalid and not if the player doesn't have the permissions


#12

To explain the method:

For Every Command that is owned by my plugin:
Just let it run, the command itself checks permission before executing.

For every other command:
Cancel if the player don't has "execute." permission.

//ignore commands from console or commandblock
if (evt.getSource() instanceof ConsoleSource) return;
if (evt.getSource() instanceof CommandBlockSource) return;

//ignore commands if the player has "execute.<cmd-name>" permission
if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

//Check if the command is owned by my plugin (CNMain.getPlugin())
Set<CommandMapping> commandSet = evt.getGame().getCommandDispatcher().getOwnedBy(CNMain.getPlugin()); 
CommandMapping cm = null;
for (CommandMapping mapping : commandSet){
    if (mapping.getAllAliases().contains(evt.getCommand())){
        cm = mapping;
        break;
    }
}

//if the command is not owned by my plugin cancel it. (If it is owned by my plugin, it'll handle permissions itself)
if (cm == null){
    evt.getSource().sendMessage(Texts.of(TextColors.RED, "Diesen Command gibt es nicht! Gib /help ein um eine Liste verfügbarer Commands zu bekommen!"));
    evt.setCancelled(true);
    evt.setResult(CommandResult.empty());
    return;
}

#13

Das war mein Account, aber ich kann ihn nicht mehr benutzen, weil irgendein dummes Arschloch den wohl gehackt un das Passwort geändert hat. Leider komme ich nicht mehr an die E-Mail dran, weil ich die Anmeldedaten nicht mehr habe.


#14

@Jojo_Mustermann https://help.mojang.com/customer/en/portal/articles/361483-my-account-was-stolen

Bitte besuchen und kontaktieren Sie Mojang / Microsoft. Wir können wenig tun. Ihr Passwort befindet sich wahrscheinlich in einer Datenbank, die für viele Personen freigegeben ist.

Please visit and contact Mojang / Microsoft There is little we can do. Your password is likely in a database shared between many people.


#15

This thread was from over 2 years ago, Not sure of the resolution of if it was the plugins fault or Sponges.

There was at one point a bug with clashing aliases, that used the permission of the clashing command instead of the permission for the raw minecraft command.

If there was a fake op override, or a command registering /op in order to tell people not to use it, it may have been the cause of the person opping themselves.