PSA: Massive Exploit - PlaceholderAPI (checkitem expansion)
Hey guys, kinda made a post to warn about a possible exploit that could be on your server as well.
It's related to a specific PlaceholderAPI expansion called CheckItem.
Random new players joined our server, tried a bunch of random commands all sharing the same placeholder.
Eventually they made it work doing
/ping %checkitem_give_mat:bedrock,amt:2304%
This command gave them a full inventory of bedrock, and can be used to spawn in any item in the game.
Emergency fix:
We fixed it by going into PlaceholderAPI -> config.yml and making "checkitem: give_enabled: false"
So if you have the expansion called checkitem, DISABLE IT RIGHT NOW!
I don't know more specific details than that, but wanted to post an emergency post regarding it.
We are on purpur version git-Purpur-1996, running Minecraft 1.20.1.
The ping command is by the CMI plugin, so not sure if it has to be CMI or not.36 Replies
This is old
Like really old
It's been know for years
And it's still enabled by default?
Why isn't that shit off by default, seems like a major issue CheckItem needs to fix or get banned of PAPI
And there's nothing on google if you search anything related to this
or just report it to helpchat
?
and get it fixed there
Sure, but I wanted it to reach server owners, like you guys
well isnt it better to just get it fixed in general?
Yes, but the fix might not happen anytime soon
So if anyone is vulnerable, fix it now rather than wait for a potential fix
have u reported it?
GitHub
CheckItem Expansion - Major exploit · Issue #973 · PlaceholderAPI/P...
Confirmation My issue isn't already found on the Issue tracker. My issue is about PlaceholderAPI and not any expansion or external plugin The issue isn't already fixed in a Spigot Release o...
isnt ping from a external plugin
Yes as he mentioned at the bottom of the post
where?
'
theres nothing about it
Hm yeah he didn't mention that in the github report
which is like a insanely important part
to add
because it very well could just be bad implementation of the ping command in cmi
any command which parses papi placeholders would be able to do it
yeah but which commands parses papi placeholders that doesnt require permissions for it
that doesnt come from cmi
So if I make a malicious papi expansion it’s not PAPIs fault for hosting it and not taking it down?
What a joke
But I agree no normal commands should be able to run or parse a placeholder
Especially if no perms are given
Why would it be lmao?
Its up to the server owner to either download it or not
papi ecloud is just the dist. platform
So if I download an expansion that is merely used to parse a placeholder, I’m supposed to expect it to give my players the ability of spawning in items?
its not malcious?
malicious*
I download expansions that is useful for me, I shouldn’t have to worry about default config having major exploits like that
all of em do get checked for malware
It being enabled by default is malicious imo
I agree, its not malicious, just an oversight I think
it could be very useful
but it shouldnt be parsed in a player-provided input thing
i.e. a command
Um, it literally is
you should be vetting everything you put on your server
dont just blindly trust random developers
dont think you can specify it in your extension
You cant
I blindly trusted PAPI but I guess I can’t anymore
you shouldnt blindly trust anything tbh
well u shouldnt blindly trust anything
not in a prod server, anyway
lol
I kinda have to in many scenarios because source codes are protected and obfuscated, and I am not a programmer anyway so it’s not like I can see if something is bad.
only paid plugins are obfuscated/source is hidden (even tho it breaks gpl), if u have a free plugin that is obfuscated/source is hidden, RUN away.