Discussion in 'BukkitDev Information and Feedback' started by korikisulda, Oct 27, 2014.
Very nicely detailed, thanks for sharing.
You do know, by posting this, loads of childish coders are going to try to use this as much as possible.
My advise to everyone at this time is to only download plugins that have been popular for some time.
Do NOT download magical 'new' plugins from people who have never made a decent plugin before.
This is not possible on BukkitDev. Worry about other places code needs to be audited.
Very nice tutorial. Did not know this. Learn something new everyday
korikisulda I think it's been covered pretty well in IRC and such as to why this guide shouldn't exist, but regardless, it should at least not be in this section. This isn't really BukkitDev feedback/information, is it?
Shouldn't it? Since Curse posted the bugreport links, it was public anyway. That's not a choice I actually made. The choice I had to make was between relative obscurity, or disclosure. Perhaps I made a mistake, but I can't change what happened.
Regardless, of that, you are correct. Problem is, where?
korikisulda Security through obscurity isn't very reliable, I'll give you that. But it's certainly better than not only no security, but having an actual step-by-step guide showing anyone who happens across is how to exploit the bug. From what I understand, major security issues are usually reported in private, not in public. And the linked reports do not explain exactly how to perform the exploit. This does. Your whole approach is fundamentally wrong here.
Where? I maintain nowhere on these forums. If I had to pick a section, off-topic would be the most fitting.
Fair enough. Prefer the tutorial now? :s
korikisulda Sadly I can't say no harm done, but it's definitely better than it being there. I appreciate you taking it down.
And yeah. I made a mistake. I can only apologise for it.
At the moment, it's impossible to know if any harm was done. I hope not (obviously. I'm not evil or anything :s), but there's little I can do now. Heyho. I suppose the important thing is that I learn from the mistakes.
EDIT by Moderator: merged posts, please use the edit button instead of double posting.
Just so everyone knows Kori's work has made it possible for us to get a tool in place to audit files for the presence of these hidden code snippets. We're doing a retroactive scan currently before we start processing new files again.
This post is worthless.
It was originally a tutorial on how to exploit the discussed vulnerability. It was later removed at the author's discretion, and that image was used as a placeholder.
Absolutely. At least it's worthless instead of potentially harmful.
Wow. We have so much to learn; ORACLE HIRE KORI!
Are you kidding?
Oracle did nothing wrong. The only person at any sort of fault is the developer of Procyon, and even then, he's doing it by himself, so it's been an excellent job so far (and even now).
I am kidding.
And I thought all along people were doing this to keep others from decompiling there plugins and stealing them , Thanks for the Info.
Well... I mean, you could do that. I'm probably going to theta-level encrypt one of my plugins that way. :3
If a JVM can run it, someone can steal it ^.^ In the end, you've put them to more effort, but it's still possible.
That, or just go to the memory dump and find your constants lol. But it's more fun to make them do more work.
Don't be surprised if your plugins take weeks to be approved though....
I probably wouldn't put it on BukkitDev.
Then what's the point? Who can admire your obfuscation art form?
There are other places to put up plugins, you know.
Just none as popular as BukkitDev.
I don't know. Don't question my brilliance!
Separate names with a comma.