Screen NBT hack
moofMonkey opened this issue ยท 6 comments
Issue description:
Steps to reproduce: Packet hack
Versions: latest
Anyone could change NBT inside scanner with packet hack.
That issue became public, so I've posted it there.
Versions: latest
Never ever say that
As I've seen blame, this error persists from the moment the screen is added.
87d5c9a
Please provide more details. I don't understand what's wrong here. Is it just that clients can set arbitrary NBT on screen module items?
Yep, clients can set any NBT on any slot in Screen.
Would making sure the player is close enough, has permission to interact with the screen
That would be good too (to prevent crutches with WorldGuard/etc), but that'll not fix the main problem - client still can change NBT of any item to whatever
and isn't setting invalid NBT for the module be enough to fix this?
Idk how you'd fix this, I've never worked with containers before :D
Here's exploit (sends packet in borealis.hack.HackGui2, idk for what exact version) if you need it, it's public, so posted it here
rftools_exploit.zip
Okay, I see the problem now. You can put anything in screens, not just screen modules, so this lets you change the NBT of any item to be whatever you want.
I just committed eacb5e8 and asked @McJty to do a new release. It doesn't completely fix the bug, but it limits most possible ways to abuse it, as the server will now only set NBT on items that are actually screen modules. A complete fix will be more complicated and take more time, so it will come later.
Versions: latest
Never, ever say that.
Anyone could change NBT inside scanner with packet hack.
That issue became public, so I've posted it there.
Please provide more details. I don't understand what's wrong here. Is it just that clients can set arbitrary NBT on screen module items?
Would making sure the player is close enough, has permission to interact with the screen, and isn't setting invalid NBT for the module be enough to fix this?