+- Cuberite Forum (https://forum.cuberite.org)
+-- Forum: Cuberite (https://forum.cuberite.org/forum-4.html)
+--- Forum: Discussion (https://forum.cuberite.org/forum-5.html)
+--- Thread: How secure is MCServer? (/thread-1447.html)
Pages:
1
2
How secure is MCServer? - tigerw - 04-14-2014
With the recent OpenSSL vulnerability arising out of a failure to verify a length, I wonder, how secure is MCS?
Do we have any similar vulnerabilities that will allow someone to change their permissions? Modify webadmin settings? Explode the server? Explode the actual server? Explode the datacentre? Explode the country of the datacentre?
Has anyone ever used this emoticon?
RE: How secure is MCServer? - xoft - 04-14-2014
I'm afraid we have way too many of such vulnerabilities, but I highly doubt any of them would do much more than crash the server. Most of the protocol stuff is really brittle, it just assumes that the client is sending the correct data with reasonably-limited sizes.
RE: How secure is MCServer? - qaisjp - 06-13-2014
What about Heartbleed, MC edition?
![[Image: Heartbleed_Nightmare.jpg]](http://rack.1.mshcdn.com/media/ZgkyMDE0LzA0LzEwL2QxL0hlYXJ0YmxlZWQuOWVmNGYuanBnCnAJdGh1bWIJOTUweDUzNCMKZQlqcGc/d8765c56/8dd/Heartbleed_Nightmare.jpg)
RE: How secure is MCServer? - tigerw - 06-13-2014
![[Image: f7877e57_faceWUT.jpeg]](http://cdn.overclock.net/f/f7/f7877e57_faceWUT.jpeg)
RE: How secure is MCServer? - worktycho - 06-13-2014
If you concerned about heartbleed style bugs log into coverity. They have a developed a checker for heartbleed style bugs in the aftermath so other projects can check for them. We currently have 7 outstanding places where we do exactly what went wrong in heartbleed.
If you want to fix them
RE: How secure is MCServer? - qaisjp - 06-15-2014
(06-13-2014, 05:13 AM)worktycho Wrote: If you want to fix them
feature not bug
In all seriousness, where is this checker?
RE: How secure is MCServer? - worktycho - 06-15-2014
The checker is called tainted scalar. The bug categories are untrusted value in loop bound and untrusted value as argument.
RE: How secure is MCServer? - LogicParrot - 06-22-2014
Useful information, thanks everyone.
Perhaps there should be a "known vulnerabilities" article somewhere.
RE: How secure is MCServer? - worktycho - 06-22-2014
These are not known vulnerabilities. There know potential vulnerabilities. They don't become known vulnerabilities until someone works out how to exploit them.
RE: How secure is MCServer? - LogicParrot - 06-22-2014
Call them what you want, "Potential vulnerabilities" is also fine to me.
"They don't become known vulnerabilities until someone works out how to exploit them. "
That's just plain terminology. Firefox lists your definition of "potential vulnerabilities" as "known vulnerabilities".
Check this out: https://www.mozilla.org/security/known-vulnerabilities/firefox.html
Most -and maybe all- of these don't have a ready-to-use exploit, yet they're "known".
Like I said, I don't mind what you call them.