Advertisement
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Announcement About Plugin download spoofing

Comments in 'Plugin Releases' started by shoghicp, Dec 7, 2013.

  1. JassperBeastHD
    Offline

    JassperBeastHD Banned

    Joined:
    Aug 27, 2013
    Posts:
    436
    Minecraft User:
    JassperBeastHD
    if you have the php one can u inbox me it
  2. 99leonchang
    Offline

    99leonchang Staff Member Sectional Moderator

    Joined:
    Aug 23, 2013
    Posts:
    165
    Plugins:
    2
    Minecraft User:
    99leonchang
    You can just "un-pmf' it and then change the hexes back
    wies likes this.
  3. shoghicp
    Offline

    shoghicp Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    433
    Plugins:
    14
    Minecraft User:
    shoghicp
    Also, the code was not included in the plugins, it was in the plugin description. That caused even people that didn't want to use his plugins to download them automatically and give him lots of downloads.
  4. 99leonchang
    Offline

    99leonchang Staff Member Sectional Moderator

    Joined:
    Aug 23, 2013
    Posts:
    165
    Plugins:
    2
    Minecraft User:
    99leonchang
    That's rather creepy
  5. iJoshuaHD
    Offline

    iJoshuaHD Notable Member Plugin Developer

    Joined:
    Nov 7, 2013
    Posts:
    1,167
    Plugins:
    4
    Minecraft User:
    iJoshuaHD
    can you give out the original source so that we could put it back to hexes? I wanna see it myself if my server would be safe using Faction plugin of him. thanks :)
  6. codmadnesspro
    Offline

    codmadnesspro Notable Member Plugin Developer

    Joined:
    Sep 11, 2013
    Posts:
    551
    Plugins:
    1
    Minecraft User:
    Codmadnesspro
    Damn.. He was good. He said he had changed but no he had not. Maybe we shall post but remove the autodownloader part of it.
    IronPony likes this.
  7. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    If download links are one time then anyone wanting to connect via the API would need some sort of way to generate a link. And wow, initially I thought he was doing this but I assumed he was above it, clearly I was wrong.
  8. shoghicp
    Offline

    shoghicp Staff Member PocketMine Team

    Joined:
    Aug 22, 2013
    Posts:
    433
    Plugins:
    14
    Minecraft User:
    shoghicp
    Vote links have a csrf token, but download links not (desired).
    Anyway, someone could make a bot that gets the token and downloads it too...
  9. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    Just out of curiosity, is it the download link or the attachment link that adds to the count?
  10. KnownUnown
    Offline

    KnownUnown Active Member Plugin Developer

    Joined:
    Aug 22, 2013
    Posts:
    65
    Plugins:
    1
    Minecraft User:
    KnownUnown
    None of the links.
    On the plugin posts themselves, the images load the download links. So every time you click on his plugin post...it adds to the count.
  11. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    I mean with a normal plugin, where is the download counted?
  12. KnownUnown
    Offline

    KnownUnown Active Member Plugin Developer

    Joined:
    Aug 22, 2013
    Posts:
    65
    Plugins:
    1
    Minecraft User:
    KnownUnown
    The download link itself..
  13. Falk
    Offline

    Falk Staff Member Global Moderator

    Joined:
    Sep 2, 2013
    Posts:
    1,706
    Plugins:
    22
    Minecraft User:
    Falkirknh
    Okay, that makes sense
  14. LDX
    Offline

    LDX Notable Member Plugin Developer

    Joined:
    Oct 2, 2013
    Posts:
    1,397
    Plugins:
    14
    I don't think we should re-post his code. Even though he did betray us, it's still his code and we don't really have any right to it.
    Super·-·Nova·-·, wies and Falk like this.
  15. JassperBeastHD
    Offline

    JassperBeastHD Banned

    Joined:
    Aug 27, 2013
    Posts:
    436
    Minecraft User:
    JassperBeastHD
    How?
  16. iamadpond
    Offline

    iamadpond Banned

    Joined:
    Aug 24, 2013
    Posts:
    191
    Minecraft User:
    iamadpond
    One: He never declared any licenses to his software,
    Two: He never has it copyrighted as a legal entity,
    Three: He posted it In a public place and it is classed as freeware, unless we
    start charging for it he really can't have at us for repurposing it.
    And four: He never explicitly said we were not to re-use It to our gain.
    Falk likes this.
  17. wies
    Offline

    wies Notable Member

    Joined:
    Aug 23, 2013
    Posts:
    390
    PHP:
    $code file_get_contents($file);
    while(
    1){
        
    $pos strpos($code'\x');
        if(
    $pos === false) break;
        
    $hex substr($code$pos4);
        
    $char chr(hexdec(substr($hex2)));
        
    $code str_replace($hex$char$code);
    }
    file_put_contents($file$code);
  18. LDX
    Offline

    LDX Notable Member Plugin Developer

    Joined:
    Oct 2, 2013
    Posts:
    1,397
    Plugins:
    14
    Um, Ima go update my plugins...
  19. LDX
    Offline

    LDX Notable Member Plugin Developer

    Joined:
    Oct 2, 2013
    Posts:
    1,397
    Plugins:
    14
    I don't want people re-using my code if something ever happens to me.
  20. Super·-·Nova·-·
    Offline

    Super·-·Nova·-· New Member

    Joined:
    Dec 7, 2013
    Posts:
    4
    Can he make a new account. Or is there a way to ip ban him

Share This Page

Advertisement