Multiverse-Core

Multiverse-Core

6M Downloads

Denial of service attack (DoS) using mv command

denisdnu opened this issue ยท 3 comments

commented

Information

Details

I was able to reproduce my issue on a freshly setup and up-to-date server with the latest version of Multiverse plugins with no other plugins and with no kinds of other server or client mods.

Description
Spigot server can be crashed or overloaded with specific mv command and without any specific permissions

Steps to reproduce
execute command:
mv __REDACTED__
Expected behavior
The server does not crash or experiences load growth

Screenshots

commented

Can you test with the latest snapshot, download from http://ci.onarandombox.com/view/Multiverse/job/Multiverse-Core/

I fixed some issues with regex recently that may not have made it to release yet. Namely this commit 9ce2dfd

commented

Not reproduced.
Now it says:
Sorry... No commands matched your filter: __REDACTED__
The server didn't crash or overloaded.

commented

ok then it's fixed, snapshots are generally the same as release, just incremental fixes along the way, so you can use it with no issues. We will push a release to bukkit/spigot site as soon as feasible.