PSA: ScheduledAnnouncer2

Discussion in 'Plugin Development' started by jflory7, Dec 27, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    jflory7

    Hey Bukkit forums,

    Just a little "exploit" I've run into, if you'd call it that. ScheduledAnnouncer2 is more or less your typical announcement plugin, and it's used on over 1,000 Minecraft servers. It's probably one of the more reliable and popular announcer plugins out there, from my experience.

    I recently discovered during the past week of people coming on my server and abusing this command that the plugin developer for ScheduledAnnouncer2, Proeliumm, seems to have let a "backdoor" in his plugin where anyone is able to use the command "/announce say <message>". All that command does is broadcast a message across the server. Any player who knows about this little backdoor is able to use the command, as it seems to default to all players.

    After decompiling the source code for the plugin, it appears that he never added the command to the plugin.yml file, and it was never properly defined. I tried my hand at fixing it, but my Java experience is extremely limited, so I tried making a version that just cut out the "/announce say <message>" command entirely, but it's not the proudest thing I've ever made. If you use this plugin and want a temporary fix, you can contact me privately.

    Seeing as this is a pretty popular plugin and many server owners out there probably won't realize the problem they're allowing to possibly happen when they use the plugin, I encourage those of you with BukkitDev accounts to upvote this ticket and leave a comment on it if you feel so inclined. A comment on the main page for the plugin couldn't hurt either. I sent a PM to the main developer to get his attention, and I'm hoping that gets some attention as well.

    Hope this helps another server owner out there who may be using this plugin!

    - jflory7
     
    jflory7, Dec 27, 2013
    #1
  2. Offline

    maciekmm

    jflory7 Maybe you gave a permission to players? If not maybe you should negate that.
     
    maciekmm, Dec 27, 2013
    #2
  3. Offline

    kimb00p

    I have this same problem. I didn't give the permission to players, however anyone who comes onto the server can use this command. maciekmm jflory7
     
    kimb00p, Dec 28, 2013
    #3
    jflory7 likes this.
  4. Offline

    maciekmm

    negate announcer.moderate in permissions
     
    maciekmm, Dec 28, 2013
    #4
  5. Offline

    Syd

    negating permissions won't work except for the reciever permission.
    I took at look at the sourcecode and it's just a simple "bug", where the author checks for reciever permissions instead of moderator permissions.

    I wrote a comment under the ticket with the exact line number. ;)
     
    Syd, Dec 28, 2013
    #5
    jflory7 likes this.
  6. Offline

    jflory7

    We can only hope that the author will actually view the ticket and fix it accordingly.

    kimb00p
    I have a temporary fix version that removes /announce say altogether if you'd like it. Contact me privately for it if you'd be interested.
     
    jflory7, Jan 9, 2014
    #6
Thread Status:
Not open for further replies.

Share This Page