Bukkit Forums

by eyamaz at 11:41 AM
(33,156 Views / 1 Likes)
Today, it was brought to my attention that the plugin "SuperString" had slipped past us and contained malicious code. This plugin, and the author, have both been removed from DBO. If, at this time, you are one of those that have downloaded this plugin, please be warned that version 1.1 contains the malicious code.

Over the last few months, we have caught more than a dozen new plugins uploaded with malicious code. However, no system is perfect and we miss some. Anyone that says you can catch such code all of the time, would be straight lying. This is where the community helps play in to the protection equation.

As much as the community relies on us to help ensure a safer place to download their addons, modifications, and various plugins, we also rely on the community's feedback and help to report the things we miss. Instead of a blind hosting system like many other sites, we use...
by Kaelten at 9:42 PM
(27,623 Views / 0 Likes)
Tonight we've been made aware of a decompiler vulnerability that allows people to effectively hide sections of code. This has been reported to both Procyon and Luyten. This may also affect other decompilers.

Unfortunately due to this we will be not be processing new files until a fixed or replacement decompiler can be found.

As of right now there is no known malicious code on DBO. However, due to the nature of this decompiler shortcoming we are unable to know conclusively.

A big thanks to korikisulda for bringing this to our attention.

Edit by Zeldo:
Korikisulda has posted a much more detailed post about how this works for those that are wondering. You can find it here:...
by Jadedcat at 4:50 PM
(26,641 Views / 0 Likes)
Recently a plugin named Magix was uploaded to the site. This plugin had an exploit in it wherein an image file was used to add extra javascript beyond the code in the plugin itself. That could allow for arbitrary opping on a server. Multiple reviews of the project by our staff failed to catch it, and for that mistake we're very sorry.

We have adapted our review process to look for this kind of exploit in the future. Unfortunately no matter how well we review plugins people will try and find new creative ways to add malicious content.

The plugin has been removed and the author banned.

If you downloaded and are using Magix, please remove it from your server.

Again we apologize for missing the exploit when checking the code.
by Jadedcat at 8:35 AM
(36,035 Views / 10 Likes)
There are any number of licenses you can pick for a plugin. GPL amongst others allows other people to copy and redistribute your code under certain conditions. Most noticeably the requirement that any fork also be GPL. Other open source licenses have other requirements.

If you pick the GPL license or any other open source license for your plugin and someone clones your plugin it is not a copyright violation as long as they follow the requirements.

As it pertains to plugins uploaded to BukkitDev or Curse, things are slightly different.

We feel the spirit of open source licenses is to allow for continuing an abandoned project, or forking and creating a new project based on the original. The purpose is not to allow anyone and everyone to create a straight 1-1 clone of actively developed plugins.

On BukkitDev we will decline to host simple clones of existing plugins, regardless of licensing legalities. If you are aware of a straight 1-1 clone of an existing plugin please...