You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So, this plugin just blindly sends privmsg's from irc to minecraft clients, without sanitisation for when the § character (0xa7) is at the end of a line.
Also, as the & character is replaced with 0x00a7, denial of service can be caused by 0x26 at the end of a line too.
This is a bigger issue because IRC is converting to UTF-8, and.. a lot of UTF-8 encoded characters end in 0xa7 -- here is an incomplete list of characters, which when UTF-8 encoded end in 0xa7: ç, ħ, ŧ, Ƨ, ǧ, ȧ, ɧ, ʧ, ˧, ̧,, ͧ, Χ, ϧ, Ч, ѧ, ҧ, ӧ, ԧ -- and there are probably plenty, PLENTY more, especially when 0x26 is taken into account. When §, &, or any of these aforementioned characters are at the end of a line, the minecraft server will crash when receiving them (therefore causing denial of service), and obviously this can be in PM as well as in a channel, and therefore in a PM it would be pretty well undetectable as to whom is causing denial of service.
The text was updated successfully, but these errors were encountered:
tl;dr: remove "§" from the end of a line, otherwise malicious IRC users can use this character (and the & character) to cause denial of service via minecraft client crash, either to individual users in PM, or to several users in a channel. (and this could also be done accidentally, for example "§" is next to "1" on some apple keyboards, for example)
So, this plugin just blindly sends privmsg's from irc to minecraft clients, without sanitisation for when the § character (0xa7) is at the end of a line.
Also, as the & character is replaced with 0x00a7, denial of service can be caused by 0x26 at the end of a line too.
This is a bigger issue because IRC is converting to UTF-8, and.. a lot of UTF-8 encoded characters end in 0xa7 -- here is an incomplete list of characters, which when UTF-8 encoded end in 0xa7: ç, ħ, ŧ, Ƨ, ǧ, ȧ, ɧ, ʧ, ˧, ̧,, ͧ, Χ, ϧ, Ч, ѧ, ҧ, ӧ, ԧ -- and there are probably plenty, PLENTY more, especially when 0x26 is taken into account. When §, &, or any of these aforementioned characters are at the end of a line, the minecraft server will crash when receiving them (therefore causing denial of service), and obviously this can be in PM as well as in a channel, and therefore in a PM it would be pretty well undetectable as to whom is causing denial of service.
The text was updated successfully, but these errors were encountered: