Full vulnerability disclosure: Complex Minecraft Server List

Discussion in 'Offtopic' started by vemacs, Jun 20, 2013.

  1. vemacs

    vemacs Artist

    We've given the dev 2 days to respond. No response was received, although one of the vulnerabilities was fixed. However, the rest are relatively simple vulnerabilities that suggest a novice programmer, and are still exploitable in version 1.6.

    Given that the dev really doesn't seem to give a damn about security, we have decided to release this, as a demonstration that you really shouldn't be running a Minecraft server list off of this template.


    Since there really hasn't been an adequate response, and not many sites will be affected (we notified 16 of the popular ones 48 hours in advance), we (#tacos) do feel that this is a responsible disclosure. No scripts or such will be provided.

    For list owners, I recommend that you shut down your list.
    Last edited: Jun 22, 2013
    • Like Like x 4
    • Informative Informative x 4
  2. The Tacos Initiativeā„¢
    • Agree Agree x 3
    • Like Like x 1
    • Funny Funny x 1
  3. I'm more surprised that the dev wouldn't even respond to you. Not understanding how to fix it is one thing, ignoring the problem entirely is completely different.
    • Winner Winner x 2
    • Like Like x 1
    • Agree Agree x 1
  4. He has some stones, I'll give him that. Selling software full of vulnerabilities like this.
  5. Tux

    Tux Wiki Team

    This template has other reasons why it sucks. I neglect to list them as you can figure it out yourself.
  6. Looking at that source code makes me sad. mysql_connect and mysql_query rampant. No output class, but rather just a bunch of pages with ?> some HTML <?php.

    If you're going to sell something that's going to run on someone's server and be publicly accessible, you should have the responsibility to at least know the standards for the programming language you're using as well as a fair amount of security knowledge. Instead, with this script, it looks more like recklessness and the developer having no regard for their own customers' security.
    • Agree Agree x 3
    • Like Like x 1
  7. Would you reckon for sanitizing the banner using
    $banner  = htmlspecialchars($_POST['banner_url']);
    would be sufficient?

    As someone who has one of these lists publicly I kinda feel like I should wait for the author to update this (if he does)
  8. That.... is just bad.
    • Like Like x 1
  9. Not really. There are many more issues with this script than that, and many more than just the ones outlined in the document. Actually, taking a second look at add_server.php, I see another four (heck, there may even be more than that) exploits with that single MySQL query to add a server. The funny thing about these other four exploits though? It looks like the author tried to prevent them, but failed miserably because they didn't read the documentation.

    Honestly, if I had this script on my server, I'd be going as fast as I possibly can to get it all taken down. This isn't just a few minor issues here and there, it's a script that's fatally flawed because the author seems to have no proper knowledge of how to secure it.
  10. Welcome to PHP Programming 101 as applied by what looks like a Java Programming 101 student...
    • Funny Funny x 1
  11. #11
  12. Sorry, as I am not current on the situation, but what exactly is happening I am confused.
  13. vemacs

    vemacs Artist

    1. We informed the developer and owners of large lists based on these templates of the vulnerabilities

    2. The owners patched the vulnerabilities

    3. We released the vulnerabilities

    4. Yesterday, the developer responded to the disclosure, and we are working with him to fix the template (mostly).
    • Like Like x 1
    • Informative Informative x 1
  14. Ahh, I see. Thank you.