Immersive Paintings [Fabric/Forge]

Immersive Paintings [Fabric/Forge]

Mods
8M Downloads

Malicious players can change paintings/graffities to hidden motives for everyone

debug-evac opened this issue ยท 1 comments

commented

Description

A player, who modifies the code of the mod on the client, can use any motive regardless of whether the motives are hidden or whether that player is op. This is because setting the motive of an entity is not checked server side (see Method receive(PlayerEntity e) in immersive_paintings.network.c2s.PaintingModifyRequest.java). A PaintingModifyRequest then sets that motive for the server, which in turn updates every player via a PaintingModifyMessage.

The abuse potential is fairly low since all motives uploaded to the server are shared with any client connected to the server anyways & this requires a motive to be uploaded (although set to hidden). So the priority should not be that high either.

Steps to reproduce

  1. Modify line 683 in immersive_paintings.client.gui.ImmersivePaintingScreen.java of Method updateSearch() from .filter(v -> page != Page.PLAYERS || !v.getValue().datapack) && (!v.getValue().hidden || isOp())) to for example .filter(v -> page != Page.PLAYERS || !v.getValue().datapack)
  2. Recompile and use the mod (Forge or Fabric does not matter).
  3. Join a server with an unmodified version of the mod and existing hidden motives.
  4. Use any item added by Immersive Paintings and enter the GUI.
  5. Navigate to "Players" tab and discover hidden motives.
  6. Click hidden motives and discover that the entity changes to the motive for everyone in the server.

Expected behavior

It should not be possible for a client to set an entity to a hidden motive & get it to update for other players/the server. The motive should either be set and/or verified server side and the entity should not change for other player in case the player setting the motive is not allowed (or rather able) to do so.

Screenshots

Hidden motive of any other player

Hidden Motive

Hidden motive displayed in GUI of malicious player

Hidden Motive malicious side

Malicious player sets painting to hidden motive

Malicious player sets painting

Other players can see the hidden motive set by a malicious player

Other players can see it

commented

Possible quick fix would be to check whether the player is the author of the motive, the motive is not hidden or the player is op and then continue setting the parameters and sending a PaintingModifyMessage to every player if allowed or to send a PaintingModifyMessage back to the editing player with the existing motive (if that is possible - probably not possible when there is currently no motive).