Resolution: Awaiting Response
Affects Version/s: Minecraft 1.8.3, Minecraft 1.8.4, Minecraft 1.8.7, Minecraft 1.8.8, Minecraft 15w37a
Fix Version/s: None
Environment:Minecraft Launcher 1.6.11 (through bootstrap 100) started on windows...
Current time is Feb 25, 2015 11:15:11 PM
'os.name' = 'Windows 7'
'os.version' = '6.1'
'os.arch' = 'amd64'
'java.version' = '1.8.0_25'
'java.vendor' = 'Oracle Corporation'
'sun.arch.data.model' = '64'
proxy = DIRECT
JFX is already initializedMinecraft Launcher 1.6.11 (through bootstrap 100) started on windows... Current time is Feb 25, 2015 11:15:11 PM 'os.name' = 'Windows 7' 'os.version' = '6.1' 'os.arch' = 'amd64' 'java.version' = '1.8.0_25' 'java.vendor' = 'Oracle Corporation' 'sun.arch.data.model' = '64' proxy = DIRECT JFX is already initialized
I am reporting this issue direct to you guys as its not really appropriate for the standard issue tracker you see why by reading below. Sorry for being long I wanted to give you as much info as possible.
Have no idea where to report this but i'll explain it and you can decide. It is ultimately mojang issue as it will only happen in 1.8.3 clients and it will happen if i login into a vanilla MC server.. BUT I can only start the conditions for it to happen from a spigot/craftbukkit plugin. Previous client versions are unaffected by this problem.
Please remember I am dyslexic.
What is the Security Issue ?
This will only work if the player is using 1.8.3 client.
A server can send chat packets(Many be others) to players that are not on their server. By this I mean I player visits server A (This is the server that starts the conditions for the issue to happen) they leave this server and when log in to a completely different server, call it server B (Server B can be on a bungee network, a Lillypad network, neither, or be a vanilla MC server). Now on server B the player will still receive all chat messages, Title , header and foot packets (The Title and header and foot packets are being updated this isn't static) from server A. Server A can also change the players hotbar items when player is on server B, likely they are only ghost items. The issue gets a little more complicated as if Server A is on a bungee network and they kick the player to a different server on their network, player on server B will now receive all chat etc from that server.
How do I replicate the conditions ?
This is not that straight forward as the only way so far I can replicate it is to use a plugin thats openly available on spigot and bukkit. The plugin in no way are trying to hide a rat, as I said if you aren't in 1.8.3 client there is no issues.
The plugin can be found here http://www.spigotmc.org/resources/ultrahardcore-reloaded.1622/ also on Github https://github.com/AmauryCarrade/UHPlugin
I have tested this on 1.7.10 protocol hack version as well as the very latest build of spigot. I have tested it with his release version and his dev version, all produce the same results if player is using 1.8.3 client. I played UHC on hypixels server with 1.8.3 client and not do have this issue.
On brief inspection it must have something to do with the way he respawns dead players and them connected to scoreboards or the use of hardcore hearts using propocol lib as this is normally only available in single player mode.This is just a guess.
I discovered the issue on a server called UHCZone which happens to use this plugin and also at the same time I am building a UHC plugin so have been researching how others are implementing it and whats popular and whats not.
This will show you a series of screen shots showing the complete Issue I start on UHCZone playing a game called flower power, you will need to see the chat in the images to follow whats going on. Hope you get the idea. http://imgur.com/a/jbY3f#0 this link is hidden so only ppl who know the URL can find it as soon as you have seen it i will remove it all together.
The quickest way for you to experience it is to go to us.uhc.zone using a 1.8.3 client play a game of Flower Power, when you die doesn't matter how you take to die just login to ANY other server i used my own but make no difference.
There is currently own me and another dev, plus MD_5 from Spigot who know about this as currently I don't know what the potential is in regarding exploiting the issue for hacking purposes. Either way something is seriously up with the 1.8.3 client.
I will leave it up to you guys deal with it. I will not be debating who's issue this is I am just informing you.