EssentialsX

EssentialsX

2M Downloads

/editsign can be used to bypass WorldGuard and override ChestShop signs

baailey opened this issue ยท 3 comments

commented

Type of bug

Exploit

/ess version output

03.07 20:39:06 [Server] INFO Server version: 1.17-R0.1-SNAPSHOT git-Paper-68 (MC: 1.17)
03.07 20:39:06 [Server] INFO Brand version: Paper
03.07 20:39:06 [Server] INFO EssentialsX version: 2.19.0-dev+191-555a62c
03.07 20:39:06 [Server] INFO LuckPerms version: 5.3.48
03.07 20:39:06 [Server] INFO Vault is not installed. Chat and permissions may not work.
03.07 20:39:06 [Server] INFO Fetching version information...
03.07 20:39:06 [Server] INFO You're running the latest EssentialsX dev build!

Server startup log

https://gist.github.com/baailey/ff7ed7439c4843da3521595d58821443

EssentialsX config files

https://gist.github.com/baailey/86a68e557645d5f7693ae64540ca9327

Error log (if applicable)

No response

Bug description

EssX /editsign can be used to bypass WorldGuard claims when the user issuing the command is not owner / added to the region as a member. It can also be used to override ChestShop when they are not the ChestShop owner.

Steps to reproduce

  1. Create a region and set an alt/diff player as the owner

  2. Place a sign in the region using the alt/diff player

  3. Go up to the sign and use /editsign to add text to the sign

  4. Create a ChestShop using an alt/diff player

  5. Go up to the ChestShop and use /editsign to add/change text on the sign

Expected behaviour

The changes using /editsign should not apply

Actual behaviour

/editsign bypassed WorldGuard and overrides ChestShops that the player issuing the command are not involved with.

commented

Maybe it's solved with PR #4824

commented

Not really something that will be fixed in Essentials, since we don't hook into protection plugins.

It's possible you could use WorldGuard flags like blocked-cmds to prevent this too, or see if there's anything in ChestShop that protects their signs from being modified by sources other than a player. Though, the easiest is probably just to not give players access to /editsign, similar to how you wouldn't give them access to /break or other commands like that.

commented

We don't currently fire a sign change event, which both plugins likely catch for their respective protections. However, even if we did this, it may not fully prevent players from modifying signs that other plugins handle. For now, @pop4959's suggestion of blocking commands in protected regions should be sufficient.