Want a better Minecraft server?
Read about SpigotMC here!

Menu
Home
Home

Quick Links
Forums
Forums

Quick Links
- Search Forums
- Recent Posts
Resources
Resources

Quick Links
Search titles only

Posted by Member:

Separate names with a comma.

Newer Than:

Search this category only

Search only resource descriptions

More...

Useful Searches

Recent Posts
Wiki
Wiki

Quick Links
Team
Team

Quick Links
Downloads
Downloads

Quick Links
Discord
Hub
Issues
Chat
Members
Members

Quick Links
Donate
Menu

Download Now 82.6 KB .jar

BookExploitFix 0.15

Fixes an exploit allowing hack clients to create books with JSON commands

Native Minecraft Version:

1.15
Tested Minecraft Versions:

1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
This plugin aims to fix an exploit on recent Spigot/CraftBukkit servers which allows players to create books which execute commands on click.

Does my server need this plugin?
Your server is vulnerable to this exploit when ONE of these conditions are met:
Your server version is between 1.8 and 1.8.3
OR
Your server version is 1.8 or newer (including 1.9, 1.10, 1.11, 1.12, 1.13, 1.14, 1.15) and players have creative mode

How does it work?
Since version 1.8, book pages are stored as JSON strings, which allow to encode actions when the text is clicked. This includes opening URL, executing commands, etc. Hackers exploit this by encoding commands like /op and then try to get someone with the appropriate permissions to click the page. In less drastic cases, they can use it to get unsuspecting players to transfer money, give build permissions, etc.

What does the plugin do?
This plugin counters these atempts by filtering the book pages on certain ingame events and replacing the potentially harmful actions with a simple and harmless hover message.

Plugin Description

Commands:

/filter - Actively applies the filter on the book in your hand.
aliases: /bookfilter | /filterbook

Permissions:

bookfilter.filter - Gives access to the /filter command
bookfilter.overridefilter - Overrides filtering when reading books

Requirements:

CraftBukkit or Spigot version 1.8 - 1.15
Java 8 or newer

I recommend to "Watch This Resource" as I will push critical fixes as fast as I can. Any feedback and suggestions for improvement are very welcome!

History
Spigot has fixed the exploit for survival mode in this commit which means in spitogt/craftbukkit version 1.8.3 and later. In creative mode, inventories are handled differently and is therefore still affected.

Disclaimer: I have testet this plugin in test and live environments. However, plugins can always contain bugs and unintended behaviour. If you use this plugin, you do so on your own risk. I cannot be held responsible for any consequences from using this plugin. If you encounter any bugs, please report them so they can be fixed.
hooptiecoupe, royalkingkb, Jonah_Ferguson and 10 others like this.

Recent Updates

BookExploitFix version 0.15 Dec 11, 2019
BookExploitFix version 0.14 Aug 11, 2019
BookExploitFix version 0.13 May 7, 2019

Read all 14 updates...

Recent Reviews

Nickster258

3/5,

Version: 0.15
While this plugin works, updates are slow and servers are left vulnerable to these exploits while waiting. This is frustrating as updating the plugin is trivial. Sadly, it imports the net.minecraft server classes of the specified version instead of using Java reflection to dynamically load the necessary classes. The core of the fix has not changed since 1.8.

Aug 18, 2020
__Vekster007__

5/5,

Version: 0.15
Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good! Good!

May 13, 2020
coolpvpv

2/5,

Version: 0.15
ill give it a 2 sense it doesn't make the server crash with jigaws servercrasher mode set to the tothedumpster but it still lags the crap out of it where it cant be playable

Dec 12, 2019
1. Author's Response
  Preventing server crashes due to malicious packages is not the purpose of this plugin. Please do not review plugins on tasks they were never meant to do.
hjk321

5/5,

Version: 0.14
Absolutely brilliant. Supposedly the exploit is patched for some versions but why risk it? The included command allows it to be easily tested too which is a nice plus.

Aug 29, 2019
TaquitoNortenio

5/5,

Version: 0.14
¡Un muy gran complemento, gracias por ayudar a mejorar la comunidad en contra de los hackers! [ESP]

Aug 14, 2019
Nirewen

5/5,

Version: 0.13
Excelent plugin! It worked like a charm. I was wondering if you could do the same for signs with commands too. I have a creative server and users started to create custom signs and for some reason the commands executed in them have op permission. It would be great to have this disabled and I didn't find anything about this on the internet

Aug 11, 2019
X00LA

5/5,

Version: 0.11
Great Plugin for all who wants to keep their servers clean and secure.

Thanks!

Please keep up this nice peace of code!

Nov 22, 2018
skino0

5/5,

Version: 0.11
Sounds good! Im gonna check this out <3 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Oct 25, 2018
frizzbee30

5/5,

Version: 0.9
Great extra layer of protection for those of us who run the latest spigot, and have creative worlds or allow GM1 in survival etc :)

Jul 23, 2018
dvargas135

1/5,

Version: 0.7
You don't need this for 1.9 and above... Why update? Lol. It's only for 1.8.3 and below

Apr 7, 2017
1. Author's Response
  See my clarification here: https://www.spigotmc.org/threads/bookexploitfix.60222/page-6#post-2338844

Read all 23 reviews...