I am reporting this issue direct to you guys as its not really appropriate for the standard issue tracker you see why by reading below. Sorry for being long I wanted to give you as much info as possible.
Have no idea where to report this but i'll explain it and you can decide. It is ultimately mojang issue as it will only happen in 1.8.3 clients and it will happen if i login into a vanilla MC server.. BUT I can only start the conditions for it to happen from a spigot/craftbukkit plugin. Previous client versions are unaffected by this problem.
Please remember I am dyslexic.
What is the Security Issue ?
This will only work if the player is using 1.8.3 client.
A server can send chat packets(Many be others) to players that are not on their server. By this I mean I player visits server A (This is the server that starts the conditions for the issue to happen) they leave this server and when log in to a completely different server, call it server B (Server B can be on a bungee network, a Lillypad network, neither, or be a vanilla MC server). Now on server B the player will still receive all chat messages, Title , header and foot packets (The Title and header and foot packets are being updated this isn't static) from server A. Server A can also change the players hotbar items when player is on server B, likely they are only ghost items. The issue gets a little more complicated as if Server A is on a bungee network and they kick the player to a different server on their network, player on server B will now receive all chat etc from that server.
How do I replicate the conditions ?
This is not that straight forward as the only way so far I can replicate it is to use a plugin thats openly available on spigot and bukkit. The plugin in no way are trying to hide a rat, as I said if you aren't in 1.8.3 client there is no issues.
The plugin can be found here http://www.spigotmc.org/resources/ultrahardcore-reloaded.1622/ also on Github https://github.com/AmauryCarrade/UHPlugin
I have tested this on 1.7.10 protocol hack version as well as the very latest build of spigot. I have tested it with his release version and his dev version, all produce the same results if player is using 1.8.3 client. I played UHC on hypixels server with 1.8.3 client and not do have this issue.
On brief inspection it must have something to do with the way he respawns dead players and them connected to scoreboards or the use of hardcore hearts using propocol lib as this is normally only available in single player mode.This is just a guess.
I discovered the issue on a server called UHCZone which happens to use this plugin and also at the same time I am building a UHC plugin so have been researching how others are implementing it and whats popular and whats not.
This will show you a series of screen shots showing the complete Issue I start on UHCZone playing a game called flower power, you will need to see the chat in the images to follow whats going on. Hope you get the idea. http://imgur.com/a/jbY3f#0 this link is hidden so only ppl who know the URL can find it as soon as you have seen it i will remove it all together.
The quickest way for you to experience it is to go to us.uhc.zone using a 1.8.3 client play a game of Flower Power, when you die doesn't matter how you take to die just login to ANY other server i used my own but make no difference.
There is currently own me and another dev, plus MD_5 from Spigot who know about this as currently I don't know what the potential is in regarding exploiting the issue for hacking purposes. Either way something is seriously up with the 1.8.3 client.
I will leave it up to you guys deal with it. I will not be debating who's issue this is I am just informing you.
Related issues
is duplicated by
relates to
Attachments
Comments
migrated
Ezekiel
Does this issue occur with two non-bungee, single servers (modified or no) on different IP addresses?
migrated
Yes bungee is NOT needed to create this issue. It can be to 2 single servers on different ip's any where in the world owned by completely separate people.
I server owner can potential cause a player to crash when there on somebody else's server by sending a corrupt packet on purpose. Or play tricks by sending ghost blocks which would seem like it was real to the unsuspecting player. until they click on them..
Oh another thing when the player leaves player A, all sound from the server will still be heard when not logged into any server, by the I mean in the MP server selection list in the client.
From hours of research I personally feel I could find a way to crash Server B. Hmm just thought I wonder if I can get player to speak in Server B's chat and have it appear to other players on server B.
I will not be doing anything to on a public server all testing is done of private servers i own, the only purpose is to discover the seriousness of this issue and it should be being looked into with the highest priority.as this is a big Security issue either way you look at it Server being able to be connected to players on other servers .
I must of spent over 50 hours investigating this issue,, not on the cause but of the possible potential of being a serious concern that warrants all server owners knowing about so they could take action, eg block .1.8.3 client from logging into their servers. I do hope a dev is assigned to investigate very soon as this is already 4 days old and it still is assigned to anybody.
Regards
migrated
You need to sort this.
Ezekiel
@unknown What do you mean?
migrated
Not sure how to take your last reply, I will ignore the tone and just give you a reply. "You need to sort this" , "you" as in mojang, its a massive security breach and un suspected server owners find they have all these players connected to the server that don't seen to exist. Plus this is so open to abuse its unreal I can crash players "in theory" shouldn't be connected to my server, I can get that player to say stuff in chat on the other server. When I say my server I use the term generally as I only develop for people, and all testing has been done discreetly with my own accounts. There is also other things that can be done with you know what your doing, I shan't list them as I do not wish for that part to become public knowledge.
Tell me this is WAI , as clearly you have no sense or urgency to patch this massive hole.
I'll leave you to it and do the next best thing and let all the owners know about this breach so they can at least try to deal with any consequences that it may cause them. Oh look though your 2K un resolved issues and your find somebody actually reported this same thing to you 5 weeks ago but no body even bothered to reply. I say unresolved , there all the unanswered issues which doesn't show up as unresolved issues, funny that.
Don't expect me ever to report issue again I spent days trying to find the cause so you guys wouldn't have to to, hmm can you force op with this breach ??? Investigate it and your find the answer to that question.
migrated
Just so you know, we're volunteers. We don't work for Mojang and certainly don't have access to the code.
Ezekiel
Ah, I see what you mean now. Yes, what @unknown said was right, we are volunteers. Our job is not to find the tickets to fix, it's to get rid of the tickets that aren't real tickets (to put it simply). Just because we haven't done anything doesn't mean we're (The Moderators) ignoring the ticket.
migrated
Well i take my hat off to you guys, you deserve a medal if you do what you do for the love of the Job. I do just the same as you i do a lot of stuff for no money and the love of it, just not for a corporate, but won't go down the road. If I have access to various code bases, the least you guys should to. Are you guys from a developers back ground ? Only asking as if it was this should of been resolved the day i reported it, its that big of a security breach. I don't expect some instance response for standard issues, but some related to security breaches is different. So when I see nothing no responses of any real meaning or signs of progress I'll just keep on posting.
Still end of the day the massive security hole is open and fingers crossed you don't end up liable as its been reported to you. When I say you I mean Mojang not you guys personally.
I'll try tweeting it to the devs and see if somebody can do something about this,
Am not laughing at you guys or your reasoning for doing what you but a $2,5Billion company uses free labor to deal with their tickets and doesn't provide you with the code to be able to investigate things fully either, What I imagine was this was set up years ago and nothing has changed.
migrated
Can confirm this issue is 100% your issue just play hardcore mode on vanilla mc server and you can create the same results. Oh also confirm i can change I can run any command I like on the server you start with if you own the 2nd server surprising what a few packets sent back can do... err did i say force o.......
Disgrace I reported this near 2 months ago.
migrated
Relates to/Duplicates MC-74984.
marcono1234
Confirmed for
1.8.4 (Client)You can also just spam the "Join server" and "Cancel" buttons because they overlap at some pointThe launcher might eventuall freeze when you join a plugin server and use this bug, because after leaving the server you get all the error messages that were generated while you were on the server
Sorry confirmed MC-74984
migrated
Makes no difference if you join a plugin server or a standard MC MP server the same issues occur. Tested in 1.8.4 as well and its still the same. Such a dangerous issue this if you know what your doing with packets.
marcono1234
Confirmed for
1.8.7 for vanilla Minecraft
It seems that you cannot interact with the player but he still receives all the packages including chat day time and so on which causes the time for the client to change all the time if there is a time difference for the servers.
Relates to:
Leave this report open
I know you tend to close every single report which doesn't get confirmed every single version, but please can you let this report here open until the developers officially state that these bugs are fixed.
It really starts becoming embarrassing that one of the gamemodes is really bugged and the main functions aren't working and that for over 2 years already!
migrated
Closing as invalid since players in hardcore are now put in spectator mode on death.
migrated
This is not fixed, try single player mode, die and you can still hear all the game sounds in the main menu when ejected from the game. Tested using the latest 1.8.8 100% vanilla MC.
migrated
Chris Lutte: What about 15w37a?
migrated
Turns out players still have the option to disconnect. Reopening.
migrated
Tested in multiplayer and does not switch player to spectator mode on death, if it does it makes no difference to the bug described here. Bug confirmed in 1.8.8 Vanilla SMP.
Please re open this is not fixed at all.
migrated
You have the option to switch to spectator mode in 15w37a. I've already reopened the ticket. See my other comments.
migrated
Snapshot can't be evidence of it being fix as by its very nature a snapshot's are subject to change at any point. As this is an old bug until there is a release version with this fixed surely it should stay open. I will test the snapshot if you like to see if that is fixed "in" that snapshot.
migrated
Ok thks
Only got them after posting.
migrated
One thing I will test in the snapshot is what if the player doesn't select either option and just "X's" out of the client completely. Hopefully the server doesn't hold on to a connection or even what it thinks is a connection and the player still appearing in the scoreboard etc. Will report back give me 5 mins.
migrated
Showing the screen in snapshot 15w37a when you try and create a new world if previous world was hardcore and player died.
migrated
Sorry can confirm this fixes nothing at all. All issues mentioned in previous comments are displayed in snapshot 15w37a.
It might even be worse, single player no longer deletes the world even if you press delete.
If the player "x's" out after death the server still holds the player connection.
Also in single player if I try to create a new world after a death HC mode this is displayed. See screen shot attached
EDIT: All testing done using 100% vanilla MC running 64bit windows 7
Hope this helps.
migrated
If you open the options menu you can your last position.
wobst.michael
Is this still an issue in the most recent versions (currently that is 1.10.2, or 16w42a) of Minecraft? If so, please update the affected versions and help us keeping this ticket updated from time to time. If you are the owner/reporter of this ticket, you can modify the affected version(s) yourself.