BookExploitFix 0.11

Fixes an exploit allowing hack clients to create books with JSON commands

  1. minoneer
    Native Minecraft Version:
    1.13
    Tested Minecraft Versions:
    • 1.8
    • 1.9
    • 1.10
    • 1.11
    • 1.12
    • 1.13
    This plugin aims to fix an exploit on recent Spigot/CraftBukkit servers which allows players to create books which execute commands on click.

    Does my server need this plugin?

    Your server is vulnerable to this exploit when ONE of these conditions are met:
    Your server version is between 1.8 and 1.8.3
    OR
    Your server version is 1.8 or newer (including 1.9, 1.10, 1.11, 1.12, 1.13) and players have creative mode

    How does it work?
    Since version 1.8, book pages are stored as JSON strings, which allow to encode actions when the text is clicked. This includes opening URL, executing commands, etc. Hackers exploit this by encoding commands like /op and then try to get someone with the appropriate permissions to click the page. In less drastic cases, they can use it to get unsuspecting players to transfer money, give build permissions, etc.

    What does the plugin do?

    This plugin counters these atempts by filtering the book pages on certain ingame events and replacing the potentially harmful actions with a simple and harmless hover message.


    Plugin Description

    Commands:

    /filter - Actively applies the filter on the book in your hand.
    aliases: /bookfilter | /filterbook

    Permissions:

    bookfilter.filter - Gives access to the /filter command
    bookfilter.overridefilter - Overrides filtering when reading books

    Requirements:

    CraftBukkit or Spigot version 1.8 - 1.13
    Java 8 or newer

    I recommend to "Watch This Resource" as I will push critical fixes as fast as I can. Any feedback and suggestions for improvement are very welcome!

    History
    Spigot has fixed the exploit for survival mode in this commit which means in spitogt/craftbukkit version 1.8.3 and later. In creative mode, inventories are handled differently and is therefore still affected.

    Disclaimer: I have testet this plugin in test and live environments. However, plugins can always contain bugs and unintended behaviour. If you use this plugin, you do so on your own risk. I cannot be held responsible for any consequences from using this plugin. If you encounter any bugs, please report them so they can be fixed.

Recent Reviews

  1. frizzbee30
    frizzbee30
    5/5,
    Version: 0.9
    Great extra layer of protection for those of us who run the latest spigot, and have creative worlds or allow GM1 in survival etc :)
  2. dvargas135
    dvargas135
    1/5,
    Version: 0.7
    You don't need this for 1.9 and above... Why update? Lol. It's only for 1.8.3 and below
    1. minoneer
  3. Bolean
    Bolean
    5/5,
    Version: 0.7
    nice mate thanks btw .
  4. RedstoneFuture
    RedstoneFuture
    5/5,
    Version: 0.6
    Can you pls update for Minecraft 1.9? :) I like the plugin. LG Robert_LP
    1. minoneer
      Author's Response
      As stated at the top of the page, the exploit has been fixed in spigot. There is no need for this plugin on 1.9 any more.
  5. voodootje0
    voodootje0
    5/5,
    Version: 0.6
    Thank you very much!
  6. 420Rekt
    420Rekt
    5/5,
    Version: 0.6
    Thank you very much for making this. It works and it does exactly what it's meant to do. 5/5

    IP: play.FunMC.us
  7. Zomberr
    Zomberr
    5/5,
    Version: 0.6
    It worked great when I tested it!
  8. 7rory768
    7rory768
    5/5,
    Version: 0.6
    Works great, would just be nice if it worked on 1.8.6
    1. minoneer
      Author's Response
      It does work on 1.8.6
  9. Aoro
    Aoro
    5/5,
    Version: 0.6
    nice plugini
  10. det483
    det483
    5/5,
    Version: 0.5
    Great plugin! Works fine :)