/imageframe delete user:map allows any user to delete any map.

Question

/imageframe delete user:map allows any user to delete any map.

Closed this issue 3 months ago · 5 comments

[Fri 00:34:23 INFO Server/PlayerConnection] XtremeCoder issued server command: /imageframe delete Hightech_TR:test

The command still went through and I was able to delete another user's Map despite not owning the map nor have OP / admin permission.

  [Fri 00:35:36 INFO ] [LP] Permission information for imageframe.delete:
  [Fri 00:35:36 INFO ] [LP] - xtremecoder does not have imageframe.delete set.
  [Fri 00:35:36 INFO ] [LP] - xtremecoder does not inherit imageframe.delete.
  [Fri 00:35:36 INFO ] [LP] 
  [Fri 00:35:36 INFO ] [LP] Permission check for imageframe.delete:
  [Fri 00:35:36 INFO ] [LP]     Result: true
  [Fri 00:35:36 INFO ] [LP]     Processor: bukkit.DefaultPermissionMapProcessor
  [Fri 00:35:36 INFO ] [LP]     Cause: None
  [Fri 00:35:36 INFO ] [LP]     Context: (dimension-type=overworld) (discordsrv:boosting=false) (discordsrv:linked=true) (discordsrv:role=tourist) (discordsrv:role_id=1231253048534241321) (discordsrv:server_id=1198258905420136478) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=creative) (world=world)

  [Fri 00:35:54 INFO ] [LP] Permission information for imageframe.admindelete:
  [Fri 00:35:54 INFO ] [LP] - xtremecoder does not have imageframe.admindelete set.
  [Fri 00:35:54 INFO ] [LP] - xtremecoder does not inherit imageframe.admindelete.
  [Fri 00:35:54 INFO ] [LP] 
  [Fri 00:35:54 INFO ] [LP] Permission check for imageframe.admindelete:
  [Fri 00:35:54 INFO ] [LP]     Result: false
  [Fri 00:35:54 INFO ] [LP]     Processor: bukkit.PermissionMapProcessor
  [Fri 00:35:54 INFO ] [LP]     Cause: None
  [Fri 00:35:54 INFO ] [LP]     Context: (dimension-type=overworld) (discordsrv:boosting=false) (discordsrv:linked=true) (discordsrv:role=tourist) (discordsrv:role_id=1231253048534241321) (discordsrv:server_id=1198258905420136478) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=creative) (world=world)

Please rectify, this is a security issue.

Reporting through here as there is no SECURITY.MD configured.

Answer 1 · 2024-05-02T18:49:15.000Z

Did you have the imageframe.adminbypass permission or were you given permission to the image map by the owner?
imageframe.admindelete controls permission for the /imageframe admindelete command and should be unrelated to the /imageframe delete command

Answer 2 · 2024-05-02T19:00:32.000Z

No, I do not have the permission given nor was I granted the permission by the map owner.

My server was attacked by an unknown individual as well, who did not have any permissions nor could have had permissions given to him.

I have subsequently reproduced the issue myself and the logs attached are of me reproducing it myself.

Answer 3 · 2024-05-02T23:35:43.000Z

Do you mind giving build #88 a try and see if it is fixed?

Answer 4 · 2024-05-04T04:53:19.000Z

Apologies I'm quite busy right now, I will provide a written update once possible.

I notice the permission default you changed. Could be that. Didn't think that permission would be a default True.

Answer 5 · 2024-05-05T13:58:12.000Z

Tested, Validated working on my production server. Thanks!