Summary
The /plan player command can be used to enumerate a list of users who have joined the server. This may go against the wish of certain server owners (including me) allowing users to conduct reconnaisance to determine the users that have joined the server before.
Details
Users are able to enumerate a player list through the plan player command despite not given permission to do so.
This allows attackers to perform reconnaisance attacks on the server.
POC
-
First check that the permission is not granted;
[Thu 13:50:15 INFO ] [LP] Permission information for plan.player.other:
[Thu 13:50:15 INFO ] [LP] - xtremecoder has plan.player.other set to false in context global.
[Thu 13:50:15 INFO ] [LP] - xtremecoder does not inherit plan.player.other.
[Thu 13:50:15 INFO ] [LP]
[Thu 13:50:15 INFO ] [LP] Permission check for plan.player.other:
[Thu 13:50:15 INFO ] [LP] Result: false
[Thu 13:50:15 INFO ] [LP] Processor: common.DirectProcessor
[Thu 13:50:15 INFO ] [LP] Cause: 9e440c9b-f7e6-4c96-aee7-b0b514511029 has plan.player.other set to false in context global
[Thu 13:50:15 INFO ] [LP] Context: (dimension-type=overworld) (discordsrv:linked=false) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=adventure) (world=world)
-
Note that when running the command, autocomplete allows me to effectively get a list of players that have joined the server.
-
When I run the command, I note that I do not have the permission
-
I also note that I am the only player online, thus the autocomplete was not based on online users
-
Impact
This vulnerability has no direct impact.
This vulnerability allows attackers to perform reconnaisance in preparation for other attacks.
IngeniousCoder Reporter
Summary
The /plan player command can be used to enumerate a list of users who have joined the server. This may go against the wish of certain server owners (including me) allowing users to conduct reconnaisance to determine the users that have joined the server before.
Details
Users are able to enumerate a player list through the plan player command despite not given permission to do so.
This allows attackers to perform reconnaisance attacks on the server.
POC
First check that the permission is not granted;
[Thu 13:50:15 INFO ] [LP] Permission information for plan.player.other:
[Thu 13:50:15 INFO ] [LP] - xtremecoder has plan.player.other set to false in context global.
[Thu 13:50:15 INFO ] [LP] - xtremecoder does not inherit plan.player.other.
[Thu 13:50:15 INFO ] [LP]
[Thu 13:50:15 INFO ] [LP] Permission check for plan.player.other:
[Thu 13:50:15 INFO ] [LP] Result: false
[Thu 13:50:15 INFO ] [LP] Processor: common.DirectProcessor
[Thu 13:50:15 INFO ] [LP] Cause: 9e440c9b-f7e6-4c96-aee7-b0b514511029 has plan.player.other set to false in context global
[Thu 13:50:15 INFO ] [LP] Context: (dimension-type=overworld) (discordsrv:linked=false) (essentials:afk=false) (essentials:jailed=false) (essentials:muted=false) (essentials:vanished=false) (gamemode=adventure) (world=world)
Note that when running the command, autocomplete allows me to effectively get a list of players that have joined the server.
When I run the command, I note that I do not have the permission
I also note that I am the only player online, thus the autocomplete was not based on online users
Impact
This vulnerability has no direct impact.
This vulnerability allows attackers to perform reconnaisance in preparation for other attacks.