[SPIGOT-5769] Servers running as part of a BungeeCord network should make security flaws more obvious Created: 09/Jun/20 Updated: 01/Jan/24 |
|
| Status: | Open |
| Project: | Spigot |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Minor |
| Reporter: | Sam Poulton | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | bungeecord, spigot | ||
| Environment: |
Any Spigot server running as part of a BungeeCord network |
||
| Issue Links: |
|
||||||||
| Version: | All | ||||||||
| Guidelines Read: | Yes | ||||||||
| Description |
|
I'm an independent server pentester, and one of the most saddening things I see is when people with no understanding of systems security try to run a BungeeCord network. There seems to be one recurring flaw - people don't protect their game servers, whether that's with a firewall or with BungeeGuard/OnlyProxyJoin/IPWhitelist/etc. This obviously leaves many many servers vulnerable to severe issues such as UUID spoofing. I feel that part of the issue is that security issues aren't made obvious enough to the less technically experienced of server admins. The offline-mode warning in the console often gets lost among plugin load messages, and many people don't read the startup logs for their servers. Another issue is with the following error message: "If you wish to use IP forwarding, please enable it in your BungeeCord config as well!" This message often gets dismissed - it doesn't make it obvious that this is a security-related issue. However, to a potential attacker, it gives a lot of information:
Over the last few weeks I have seen this particular error message and have been able to successfully carry out a UUID spoof exploit (with the owners' permission) across nineteen individual servers. This flaw needs to be made more obvious in order to protect the many networks like this. |
| Comments |
| Comment by AMNOTBANANAAMA [ 19/Jun/20 ] |
|
In my opinion this is Won't Fix. In the offline world, when you buy a piece of potentially hazardous equipment, you read the manual. If you choose not to read the instructions manual, that is a failure on your part and you are solely responsible for the consequences resulting thereof. The Bungeecord Installation Guide has a big red heading warning users of the security implications of using Bungeecord in offline mode and that's sufficient in my opinion.
If i were the poster, one possible solution would be checking server.properties on startup to see if online mode is set to false AND if any of the server addresses are not localhost. If both conditions are true, delay startup by 5 seconds and print a warning to the console. Again I'd like to emphasize I do not consider this a bug, and that I think this issue should be closed. |
| Comment by md_5 [ 10/Jun/20 ] |
|
What is your proposed solution? |