ServerSigns is a sign plugin used for server administrators to make signs perform an action when interacting with them.
With a potential bug in the plugin, you can get access to server file content, if you have the right permissions.
With a feature in the plugin, you can create scripts for it. Using the administrator command /svs import <script>, you can add a script to the specific sign. The potential bug in the plugin, is that you can use ../ to go back in directories. This doesn't seem like a problem, since you can't read the file content, right? Well, when you've imported any file from the server files e.g. ../../server.properties, and then right clicking the sign, ServerSigns will return errors from each line of the specific file. In the error messages, you can see each lines content, meaning the plugin exposes the whole file content in the chat.
The errors occurres, because the file cannot be executed as a ServerSigns script.
First you create a new ServerSigns sign by placing a sign and then executing the command /svs create and then right clicking the sign. After that, you execute the following command /svs import <file path> and right click the sign again.
In the chat, you'll see each line of the specified file.
There haven't really been a patch yet for this exploit. Just be careful who you're giving administrator permissions to, and protect your server from getting hacked by hackers, who can give themselves administrator privileges. E.g. by abusing the UUID spoof vulnerability in the Bungeecord system.
Read more about UUID spoofing at: UUID Spoofing
../LiteBans/config.ymlwill expose the LiteBans MySQL database server address and credentials../../bukkit.ymlwill expose the Bukkit MySQL database server address and credentials../../server.propertieswill expose the RCON port and password, if enabled on the server