This repository was archived by the owner on Jan 28, 2023. It is now read-only.
Fixed security vulnerability#15
Merged
JayWood merged 1 commit intoWooMinecraft:masterfrom Mar 9, 2016
Merged
Conversation
Fixed a security vulnerability where the server key would showup in `?woo_minecraft=check&key=SOMEINVALIDKEY` opening a possibility for people to send commands to the Minecraft server trough their own wordpress site (eg. making the player OP)
Member
|
@FinlayDaG33k I'm not entirely sure users would be able to 'send commands' to the server. Reason is the handshake goes from MC server -> WordPress server and relies solely on the URL the admin has put in. The key itself, is ONLY to verify the server. In no way throughout the code, is that key used to send/add/edit commands, a hacker would have to play 'man in the middle' and essentially mimic the web server while being attached to the MC server at the server level ( in the datacenter ) Still, your point is valid, I'm not sure why we were sending back the actual DB key in the response, maybe it was a debug thing? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed a security vulnerability where the server key would showup in
?woo_minecraft=check&key=SOMEINVALIDKEYopening a possibility for people to send commands to the Minecraft server trough their own wordpress site (eg. making the player OP)