I am reporting this issue direct to you guys as its not really appropriate for the standard issue tracker you see why by reading below. Sorry for being long I wanted to give you as much info as possible.
Have no idea where to report this but i'll explain it and you can decide. It is ultimately mojang issue as it will only happen in 1.8.3 clients and it will happen if i login into a vanilla MC server.. BUT I can only start the conditions for it to happen from a spigot/craftbukkit plugin. Previous client versions are unaffected by this problem.
Please remember I am dyslexic.
What is the Security Issue ?
This will only work if the player is using 1.8.3 client.
A server can send chat packets(Many be others) to players that are not on their server. By this I mean I player visits server A (This is the server that starts the conditions for the issue to happen) they leave this server and when log in to a completely different server, call it server B (Server B can be on a bungee network, a Lillypad network, neither, or be a vanilla MC server). Now on server B the player will still receive all chat messages, Title , header and foot packets (The Title and header and foot packets are being updated this isn't static) from server A. Server A can also change the players hotbar items when player is on server B, likely they are only ghost items. The issue gets a little more complicated as if Server A is on a bungee network and they kick the player to a different server on their network, player on server B will now receive all chat etc from that server.
How do I replicate the conditions ?
This is not that straight forward as the only way so far I can replicate it is to use a plugin thats openly available on spigot and bukkit. The plugin in no way are trying to hide a rat, as I said if you aren't in 1.8.3 client there is no issues.
The plugin can be found here http://www.spigotmc.org/resources/ultrahardcore-reloaded.1622/ also on Github https://github.com/AmauryCarrade/UHPlugin
I have tested this on 1.7.10 protocol hack version as well as the very latest build of spigot. I have tested it with his release version and his dev version, all produce the same results if player is using 1.8.3 client. I played UHC on hypixels server with 1.8.3 client and not do have this issue.
On brief inspection it must have something to do with the way he respawns dead players and them connected to scoreboards or the use of hardcore hearts using propocol lib as this is normally only available in single player mode.This is just a guess.
I discovered the issue on a server called UHCZone which happens to use this plugin and also at the same time I am building a UHC plugin so have been researching how others are implementing it and whats popular and whats not.
This will show you a series of screen shots showing the complete Issue I start on UHCZone playing a game called flower power, you will need to see the chat in the images to follow whats going on. Hope you get the idea. http://imgur.com/a/jbY3f#0 this link is hidden so only ppl who know the URL can find it as soon as you have seen it i will remove it all together.
The quickest way for you to experience it is to go to us.uhc.zone using a 1.8.3 client play a game of Flower Power, when you die doesn't matter how you take to die just login to ANY other server i used my own but make no difference.
There is currently own me and another dev, plus MD_5 from Spigot who know about this as currently I don't know what the potential is in regarding exploiting the issue for hacking purposes. Either way something is seriously up with the 1.8.3 client.
I will leave it up to you guys deal with it. I will not be debating who's issue this is I am just informing you.
Linked issues
is duplicated by 1
relates to 1
Attachments
Comments 26
Yes bungee is NOT needed to create this issue. It can be to 2 single servers on different ip's any where in the world owned by completely separate people.
I server owner can potential cause a player to crash when there on somebody else's server by sending a corrupt packet on purpose. Or play tricks by sending ghost blocks which would seem like it was real to the unsuspecting player. until they click on them..
Oh another thing when the player leaves player A, all sound from the server will still be heard when not logged into any server, by the I mean in the MP server selection list in the client.
From hours of research I personally feel I could find a way to crash Server B. Hmm just thought I wonder if I can get player to speak in Server B's chat and have it appear to other players on server B.
I will not be doing anything to on a public server all testing is done of private servers i own, the only purpose is to discover the seriousness of this issue and it should be being looked into with the highest priority.as this is a big Security issue either way you look at it Server being able to be connected to players on other servers .
I must of spent over 50 hours investigating this issue,, not on the cause but of the possible potential of being a serious concern that warrants all server owners knowing about so they could take action, eg block .1.8.3 client from logging into their servers. I do hope a dev is assigned to investigate very soon as this is already 4 days old and it still is assigned to anybody.
Regards
Not sure how to take your last reply, I will ignore the tone and just give you a reply. "You need to sort this" , "you" as in mojang, its a massive security breach and un suspected server owners find they have all these players connected to the server that don't seen to exist. Plus this is so open to abuse its unreal I can crash players "in theory" shouldn't be connected to my server, I can get that player to say stuff in chat on the other server. When I say my server I use the term generally as I only develop for people, and all testing has been done discreetly with my own accounts. There is also other things that can be done with you know what your doing, I shan't list them as I do not wish for that part to become public knowledge.
Tell me this is WAI , as clearly you have no sense or urgency to patch this massive hole.
I'll leave you to it and do the next best thing and let all the owners know about this breach so they can at least try to deal with any consequences that it may cause them. Oh look though your 2K un resolved issues and your find somebody actually reported this same thing to you 5 weeks ago but no body even bothered to reply. I say unresolved , there all the unanswered issues which doesn't show up as unresolved issues, funny that.
Don't expect me ever to report issue again I spent days trying to find the cause so you guys wouldn't have to to, hmm can you force op with this breach ??? Investigate it and your find the answer to that question.
One thing I will test in the snapshot is what if the player doesn't select either option and just "X's" out of the client completely. Hopefully the server doesn't hold on to a connection or even what it thinks is a connection and the player still appearing in the scoreboard etc. Will report back give me 5 mins.
Showing the screen in snapshot 15w37a when you try and create a new world if previous world was hardcore and player died.
Sorry can confirm this fixes nothing at all. All issues mentioned in previous comments are displayed in snapshot 15w37a.
It might even be worse, single player no longer deletes the world even if you press delete.
If the player "x's" out after death the server still holds the player connection.
Also in single player if I try to create a new world after a death HC mode this is displayed. See screen shot attached
EDIT: All testing done using 100% vanilla MC running 64bit windows 7
Hope this helps.
Does this issue occur with two non-bungee, single servers (modified or no) on different IP addresses?