Skip to content

⚠️ Potential ForceOP exploit #18

@ProJakob

Description

@ProJakob

Sending a plugin message to the channel ecb:channel with the UTF-String contents ActionsSubChannel and console_command: op %player% will result in the plugin running the untrusted command from the packet. This needs bungeecord to be enabled in the spigot.yml file.

Potential fix:
Simply blocking any messages coming on that channel from a client connection via the proxy (Velocity, Bungeecord) would resolve this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions