Input not sanitised from IRC when relayed to minecraft clients, leading to denial of service #32
Comments
|
tl;dr: remove "§" from the end of a line, otherwise malicious IRC users can use this character (and the & character) to cause denial of service via minecraft client crash, either to individual users in PM, or to several users in a channel. (and this could also be done accidentally, for example "§" is next to "1" on some apple keyboards, for example) |
ghost
assigned 
|
This does not appear to be broken for me on craftbukkit 1.4.2-R0.1 with IRCTransport 0.13.0. Perhaps this is a bug on a different version? |
|
Yes, craftbukkit 1.2.5-R4.1 with IRCTransport 0.13.0 is affected, at least. |
|
This doesn't seem to affect the latest released version of minecraft or craftbukkit. If this continues to be an issue, feel free to reopen this issue. |
So, this plugin just blindly sends privmsg's from irc to minecraft clients, without sanitisation for when the § character (0xa7) is at the end of a line.
Also, as the & character is replaced with 0x00a7, denial of service can be caused by 0x26 at the end of a line too.
This is a bigger issue because IRC is converting to UTF-8, and.. a lot of UTF-8 encoded characters end in 0xa7 -- here is an incomplete list of characters, which when UTF-8 encoded end in 0xa7: ç, ħ, ŧ, Ƨ, ǧ, ȧ, ɧ, ʧ, ˧, ̧,, ͧ, Χ, ϧ, Ч, ѧ, ҧ, ӧ, ԧ -- and there are probably plenty, PLENTY more, especially when 0x26 is taken into account. When §, &, or any of these aforementioned characters are at the end of a line, the minecraft server will crash when receiving them (therefore causing denial of service), and obviously this can be in PM as well as in a channel, and therefore in a PM it would be pretty well undetectable as to whom is causing denial of service.
The text was updated successfully, but these errors were encountered: