<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Exploit Patches — Sponge 6.0.0 documentation</title>
<link rel="shortcut icon" href="../../_static/favicon.ico"/>
<link rel="stylesheet" href="../../_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="../../_static/spongedocs.css" type="text/css" />
<link rel="index" title="Index"
href="../../genindex.html"/> <link rel="search" title="Search" href="../../search.html"/> <link rel="top" title="Sponge 6.0.0 documentation" href="../../index.html"/> <link rel="up" title="Server Management" href="index.html"/> <link rel="next" title="Performance Tweaks" href="performance-tweaks.html"/> <link rel="prev" title="Installing Plugins" href="plugins.html"/>
<!-- Google Analytics -->
<script>
(function(S,p,o,n,g,i,e){S['GoogleAnalyticsObject']=g;S[g]=S[g]||function(){
(S[g].q=S[g].q||[]).push(arguments)},S[g].l=1*new Date();i=p.createElement(o),
e=p.getElementsByTagName(o)[0];i.async=1;i.src=n;e.parentNode.insertBefore(i,e)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-59476017-2', 'auto');
ga('send', 'pageview');
</script>
<script src="../../_static/js/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search">
<div id="sp-logo-container" class="page-scroll">
<a class="logo" href="../../index.html">
<img src="../../_static/spongie-mark-dark.svg">
<span>Sponge</span>
<i class="fa fa-fw fa-chevron-down"></i>
</a>
<div id="sp-logo-menu">
<ul id="sp-logo-dropdown">
<li><a href="https://www.spongepowered.org"><i class="fa-fw fa fa-home"></i>Homepage</a></li>
<li><a href="https://forums.spongepowered.org"><i class="fa-fw fa fa-comments"></i>Forums</a></li>
<li><a href="https://github.com/SpongePowered"><i class="fa-fw fa fa-code"></i>Code</a></li>
<li class="active"><a href="https://docs.spongepowered.org"><i class="fa-fw fa fa-book"></i>Docs</a></li>
<li><a href="https://jd.spongepowered.org"><i class="fa-fw fa fa-graduation-cap"></i>Javadocs</a></li>
<li><a href="https://forums.spongepowered.org/c/plugins/plugin-releases"><i class="fa-fw fa fa-plug"></i>Plugins</a></li>
<li><a href="https://www.spongepowered.org/downloads"><i class="fa-fw fa fa-download"></i>Downloads</a></li>
<li><a href="https://www.spongepowered.org/chat"><i class="fa-fw fa fa-comment"></i>Chat</a></li>
</ul>
</div>
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div> </div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="../index.html">Creating a Server</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../getting-started/index.html">Getting Started</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="index.html">Server Management</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="whitelist.html">Managing the Whitelist</a></li>
<li class="toctree-l3"><a class="reference internal" href="bans.html">Managing Bans</a></li>
<li class="toctree-l3"><a class="reference internal" href="permissions.html">Managing Permissions</a></li>
<li class="toctree-l3"><a class="reference internal" href="plugins.html">Installing Plugins</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">Exploit Patches</a></li>
<li class="toctree-l3"><a class="reference internal" href="performance-tweaks.html">Performance Tweaks</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../spongineer/index.html">Becoming an Expert Spongineer</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../preparing/index.html">Preparing for Development</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../plugin/index.html">Creating a Plugin</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../ore/index.html">Ore Documentation</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../contributing/index.html">Contributing to Sponge</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../about/index.html">About the Sponge Project</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../../index.html">Sponge</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../../index.html">Docs</a> »</li>
<li><a href="../index.html">Creating a Server</a> »</li>
<li><a href="index.html">Server Management</a> »</li>
<li>Exploit Patches</li>
<li class="wy-breadcrumbs-aside">
<a href="https://github.com/SpongePowered/SpongeDocs/blob/fix/https/source/server/management/exploit-patches.rst" class="fa fa-github"> Edit on GitHub</a>
</li>
</ul>
<hr/>
</div> <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="exploit-patches">
<h1>Exploit Patches<a class="headerlink" href="#exploit-patches" title="Permalink to this headline">¶</a></h1>
<p>In recent Sponge builds (SpongeForge 974+), SpongeForge and SpongeVanilla patch a few client-server exploits. Whenever
the implementations detect a user performing an exploit, they are kicked from the server with a message explaining why
they were kicked. If enabled, a log message is also sent to the console. More exploit patches may be added in the
future.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">If you know about an exploit we currently <em>don’t</em> cover, please let us know! You can contact us via
<a class="reference external" href="mailto:exploits%40spongepowered.org">exploits<span>@</span>spongepowered<span>.</span>org</a> or PM a staff member on the forums. Please <strong>DO NOT</strong> post
exploits publicly on IRC, our GitHub repos or the forums, if they’re still unknown. This prevents abuse until we
get the issues fixed.</p>
</div>
<div class="section" id="exploits-patched-implemented-in-sponge">
<h2>Exploits Patched implemented in Sponge<a class="headerlink" href="#exploits-patched-implemented-in-sponge" title="Permalink to this headline">¶</a></h2>
<ol class="arabic simple">
<li>Sign command exploit where a client could run a command such as ‘op’</li>
<li>Client could force the server to make the user respawn invisible</li>
<li>Client could set an itemstack’s display name and cause it to exceed the character limit</li>
</ol>
<p>Note that these patches can’t be disabled, only the logging is configurable as of now.</p>
<div class="admonition warning">
<p class="first admonition-title">Warning</p>
<p class="last">The invisibility exploit patch has been disabled in recent Sponge builds due to the detection method falsely
accusing users of performing the exploit.</p>
</div>
</div>
<div class="section" id="log-message-control">
<h2>Log Message Control<a class="headerlink" href="#log-message-control" title="Permalink to this headline">¶</a></h2>
<p>Log messages for the exploit patches can be individually controlled in the Sponge config file. Please read the
<a class="reference internal" href="../getting-started/configuration/sponge-conf.html"><span class="doc">global.conf</span></a> page for more information. Here’s a short overview of available
options:</p>
<div class="highlight-none"><div class="highlight"><pre><span></span># Log when server receives exploited packet with itemstack name exceeding string limit.
exploit-itemstack-name-overflow=false
# Log when player attempts to respawn invisible to surrounding players.
exploit-respawn-invisibility=false
# Log when server receives exploited packet to update a sign containing commands from player with no permission.
exploit-sign-command-updates=false
</pre></div>
</div>
<div class="admonition tip">
<p class="first admonition-title">Tip</p>
<p class="last">Log messages can also be controlled via a command, instead of directly editing the config file. For example, to
enable the sign command exploit logging, type <code class="docutils literal"><span class="pre">sponge</span> <span class="pre">config</span> <span class="pre">-g</span> <span class="pre">logging.exploit-sign-command-updates</span> <span class="pre">true</span></code> in
the console (You can also type the commands in-game if you are an op).</p>
</div>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="performance-tweaks.html" class="btn btn-neutral float-right" title="Performance Tweaks" accesskey="n" rel="next">Next <span class="fa fa-angle-right"></span></a>
<a href="plugins.html" class="btn btn-neutral" title="Installing Plugins" accesskey="p" rel="prev"><span class="fa fa-angle-left"></span> Previous</a>
</div>
<hr/>
<section id="license">
<p>Except where otherwise noted,
<a xmlns:dct="http://purl.org/dc/terms/" xmlns:cc="http://creativecommons.org/ns#" property="dct:title" rel="cc:attributionURL" href="https://github.com/SpongePowered/SpongeDocs">SpongeDocs</a>
is licensed under a <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>.
</p>
<a id="license-icons" rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/" title="CC-BY-SA" aria-hidden="true">cba</a>
</section>
</footer> </div>
</div>
</section>
</div>
<div class="rst-versions" data-toggle="rst-versions" role="note" aria-label="versions">
<span class="rst-current-version" data-toggle="rst-current-version">
<i class="fa fa-book"> <span>SpongeDocs</span></i>
v: 6.0.0
<span class="fa fa-caret-down"></span>
</span>
<div id="versions" class="rst-other-versions">
<dl>
<dt>Contribute</dt>
<dd><a href="https://github.com/SpongePowered/SpongeDocs/blob/fix/https/source/server/management/exploit-patches.rst">Source</a></dd>
<dd><a href="https://github.com/SpongePowered/SpongeDocs/edit/fix/https/source/server/management/exploit-patches.rst">Edit</a></dd>
</dl>
</div>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'../../',
VERSION:'6.0.0',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: true
};
</script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <script type="text/javascript" src="../../_static/spongedocs.js"></script>
<script type="text/javascript" src="../../_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>