Getting Around BukkitPermissions

Discussion in 'Bukkit Discussion' started by Intravenous, Jan 28, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Intravenous

    Hey all just wondering if anyone can provide me some info on the following problem:

    My server is using bukkitPermissions and it all works quite well.
    We had a organized group of griefers attack our server and they were able to bypass the permissions.
    They joined and were labeled as "Guest" group/priv. Which is a look only priv on our server, such users cannot build or alter anything. However, these griefers were able to bypass that!!!?
    I put one of my other accounts as a "Guest" and logged in myself to test the permissions and I was not able to build and permissions worked as it should for me.

    So, they bypassed our permissions somehow.
    Any ideas?
     
  2. Offline

    WizzleDonker

    Is there any chance you are an offline server? I have nothing agains offline servers, just asking.

    If you are an offline server, which authentication plugin do you use?
     
  3. Offline

    Jade

    1. I love your name :|
    2. I use xAuth :|
     
  4. Offline

    WizzleDonker

    Ahh! There is your problem.

    There is a bug in xAuth, a bug which is quite severe. Because you are using a permissions plugin, ops just display as the rank they have been assigned. What has happened, is the hackers have used the exploit in xAuth explained here:

    https://github.com/CypherX/xAuth/issues/19

    they used this exploit to become ops, while still appearing as guests. They were hidden ops, and unless you had a plugin which changed the display name of people who are ops, there would be no way to tell that they had operator privaledges.

    Fix

    1. Open the 'ops.txt' file in your server directory
    2. Remove all of the hackers, or just everyone you don't recognise.
    3. Go to the xAuth configuration file
    4. Set reverse-enforce-single-session: false in the config file (hackers can then not use this exploit)
    5. Save everything, restart your server.
     
  5. Offline

    Jade

    :| I'm not the op :p
    But I will be using that to stop anything of that nature. I was stating that works for me ;P
     
  6. Offline

    Intravenous

    online-mode=true
    Ill try xAuth with that fix see how that goes.
    I checked the ops.txt after reading the above and noticed two names in there that should not have been.
    Thank you for the quick reply, hopefully xAuth w/fix will do the job.

    Any experience/issues with AuthMe?
     
Thread Status:
Not open for further replies.

Share This Page