Update your spigot!

Discussion in 'Spigot Discussion' started by joehot200, Sep 4, 2013.

  1. joehot200

    Supporter

    Hi, just letting everyone know that due to this:
    http://www.planetminecraft.com/blog/psa-server-exploit-discovered-update-immediately/
    everyone should update their spigot builds immediatley. Not sure what its all about, but thought i'd let everyone know.
    Edit:
    md_5, andrewkm and dinnerbone have managed to find and track down a user authentication exploit, that in certain cases can allow players to login as other players.
    This exploit has been found in the wild, and came to the attention of some server owners noticing odd behaviour in their server logs. At this point however, most of the reports of affected servers have been running Spigot.
    While the exploit will effect vanilla and CraftBukkit servers, a recent change to Spigot adjusting the threaded behaviour of the login checks, greatly increased the chances of someone pulling off the exploit.
    During testing we found it was possible to replicate this exploit on a Spigot (versions 1082-1089) with a success rate of above 10%, while on vanilla/CraftBukkit servers the current exploit code had a success rate of less than 1%.
    For people running the effected versions of Spigot (versions 1082-1089), I would recommend upgrading to 1090 which should help to address this issue.
    Until this patch gets applied mainstream (manages to make it through QA) keep a close eye on your server log, for failed user login attempts. It might also be a good time to check your backup system, just in case a more wildly reproducible version of this exploit is developed while you are tucked up in bed.
    ~
    Just to reiterate, this is not a Spigot issue, but people running Spigot 1082-1089 have a higher chance of being affected than other users.
     
  2. Dmck2b

    Services Staff

    Updating should be a given while we are still on dev builds imo.
     
  3. joehot200

    Supporter

  4. Are builds before these safe?
     
  5. joehot200

    Supporter

    During testing we found it was possible to replicate this exploit on a Spigot (versions 1082-1089) with a success rate of above 10%, while on vanilla/CraftBukkit servers the current exploit code had a success rate of less than 1%.
    For people running the effected versions of Spigot (versions 1082-1089), I would recommend upgrading to 1090 which should help to address this issue.
     
    • Like Like x 1
  6. I should have been more clear with my questions.

    I use 1030 on all my servers. Based on your last post, it would seem this bug is only found in builds 1082-1089?
     
  7. joehot200

    Supporter

    The bug has a less than 1% chance on working on those builds, but its not nonexistant.

    Thats what i think anyway.

    I would recommend you update your spigot in case. Better safe than sorry! :)
     
  8. Dmck2b

    Services Staff

  9. joehot200

    Supporter

    As long as its the right version, and it works without randomly keeling over, i stick with it. Also it saves me more restarts :p
     
  10. This really sucks. Lost all of my server. Time to rebuild.
     
  11. joehot200

    Supporter

    There are advantages to being cracked, despite the comments of LaxWasHere :3
    Disadvantages too, of course :)
     
  12. I'd like you to list them all.
     
    • Agree Agree x 2
  13. Sounds like a proper server backup routine wasn't in use.
     
    • Agree Agree x 1
  14. joehot200

    Supporter

    Advantages of cracked server: This premium guy just lost his server because of a exploit by logging into his admins. Cracked servers are prepared for this with xAuth, premium servers are not.

    Neither is it on mine because i cant work out how to copy files over with FTP :p

    I need a new world anyway. derp.

    Saving crutial areas as schematics often works for me :)
     

  15. I have the data tar'd and stored periodically throughout the day, then I have my hub server download all my backups with rsync daily. If for whatever reason I kill an SSD, the most data lose I will have is 24 hours. If you do not have a spare server, does your host not provide backup space?

    EDIT: No need to reply here, I am going heavily off topic
     
    • Useful Useful x 1
  16. joehot200

    Supporter

    md_5
     
  17. kyle
    Because it would be fucking stupid to tell people the exploit until it was fixed on all/most servers... (Sorry putting it as nice as I can)
     
  18. Write a small bash script which mounts the backup FTP server and copies all world files (curlftp)? What's the problem? Put it as a cron job and you're done.
     
    • Like Like x 1
  19. joehot200

    Supporter

    I didnt know how to copy over folders. Now that kyle suggested taring the world, i am already making a script to do this :)

    If you have an existing one that would be most welcome.
     
  20. Check your inbox in a few.