A fix for the "session stealer" exploit for your server

Discussion in 'Bukkit Discussion' started by sk89q, Jul 9, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    sk89q

    There's a popular "session stealing" exploit that I assume many of you know about. A few of my friends have had the issue too, so I recently posted a "fix" for the problem for individual servers. While it's not a proper fix-the-actual-problem solution, it will prevent others from stealing the session of any moderator (or you), and you don't even have to enter passwords or anything on login, so it's pain-free and seamless. No client modification is needed either.

    The problem is fixed in MC1.3, but until then, you're vulnerable.

    I've detailed the fix here:
    http://www.sk89q.com/2012/07/fixing-the-minecraft-session-stealer-exploit/
     
    sk89q, Jul 9, 2012
    #1
    afistofirony, battlekid and zipfe like this.
  2. Offline

    TnT

    Good to see these tools available. I prefer to just not log into an untrustworthy server.
     
    TnT, Jul 9, 2012
    #2
    codename_B likes this.
  3. Offline

    sk89q

    That's easy enough, but getting your moderators to do the same can be the issue.
     
    sk89q, Jul 9, 2012
    #3
    battlekid likes this.
  4. Offline

    JohnTheRipper

    That is quite brilliant! Will this feature stay in WorldGuard once the fix is released in 1.3? It seems that it could have some other uses beyond session stealer prevention...
     
    JohnTheRipper, Jul 9, 2012
    #4
  5. Offline

    sk89q

    Probably.
     
    sk89q, Jul 13, 2012
    #5
  6. Offline

    Adrenaline

    If dont have WG can you set session time at auth plugin to 0 :)
     
    Adrenaline, Jul 13, 2012
    #6
Thread Status:
Not open for further replies.

Share This Page