Headline
GHSA-g274-c6jj-h78p: PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()
Impact
Due to lack of limits by default in the explode() function, malicious clients were able to abuse some packets to waste server CPU and memory.
This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:
- Sign editing
- LoginPacket JWT parsing
- Command parsing
However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.
Patches
The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.
A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to explode() within the codebase must specify the limit parameter.
Workarounds
No simple way to fix this.
Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing BlockActorDataPacket to check that the incoming text doesn’t have more than 4 parts when split by \n.
Impact
Due to lack of limits by default in the explode() function, malicious clients were able to abuse some packets to waste server CPU and memory.
This is similar to a previous security issue published in GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:
- Sign editing
- LoginPacket JWT parsing
- Command parsing
However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.
Patches
The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.
A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to explode() within the codebase must specify the limit parameter.
Workarounds
No simple way to fix this.
Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing BlockActorDataPacket to check that the incoming text doesn’t have more than 4 parts when split by \n.
References
- GHSA-g274-c6jj-h78p
- GHSA-gj94-v4p9-w672
- pmmp/PocketMine-MP@d0d84d4