Malicious code in more than a dozen Bukkit plugins

See the front page of Bukkit. There was recently a plugin cought by the administrators containing malicious code. Also there is mentioned that - in the past few months - more than a dozen more of those plugins where uploaded without anyone noticing. Bukkit says all of the plugins that are uploaded are human checked, although some of them may be, I once uploaded serveral plugins which were all accepted within 4 minutes. Clearly those are checked by humans… Due to all of this there is alot of vulnerability in Minecraft server using plugins. Perhaps some room for improvement? What do you think?

1 Like

Well human testing does work if it’s properly done (unlike on bukkit apparently). On the otehr hand that takes a ton of resources and time.

I understand it takes alot of time to check every plugin by hand. But there are a few reasons I don’t like this. First off all, if you don’t do it, why state that you do? Also if they don’t there is alot of vulnerability for hackers.

I heard on the /r/admincraft subreddit that the developers substituted the bytecode operation ‘goto’ with ‘goto_w’ and this will essentially hide a block of code in many common decompilers. Thus, you could write a static initializer to dl, install, and run a RAT (gives hacker access to your entire computer): without decompilers showing that code. Considering how easy it is to download execute a program with java (Runtime.exec(…)), this is pretty damn dangerous.

I’ve tested a forceop plugin for someone on HF that had the ability to download and run any file at the griefer’s command. THIS. IS. BAD.

Once the common decompilers (fernflower, JD-GUI, etc) can show the goto_w operation, then we can be a little safer. Of course there’s always 0 days (I don’t have any and never have had any …concerning decompilers), but we;ll still be a bit safer.

1 Like

Well if source was required to be submitted instead of the plugin, and then that source was complied by a sponge build server then maybe things like this wouldn’t happen.


There are pros and cons to this. You have to consider the infrastructure that this requires. I know that Sponge has sponsors and all, but hosting that many plugins on a CI isn’t so easy. Not everyone uses Maven or Gradle, which makes it hard to compile with a build server. Many dependencies and current libraries don’t even use them with Maven/Gradle.

Well call me lazy, but at least my own plugins are so dead simple I’ve never bothered to learn Maven/Gradle. I’m sure I could learn to use them but just haven’t seen the need to bother with the extra work so far.

Actually I would call you very active for not using maven/gradle/ant/ivy xD. Using maven (or something else that builds your jars) releases the stress of many developers. Let me list the benefits:

  • Automatic dependency management
  • META-INF management
  • Code generation (lets say you change version number in your pom, it will update your code as well)
  • Lots of tools like (jooq, flyaway, …) use maven.
  • Shading dependencies in jars.
  • Javadoc generation
  • Automatic unit test Testing. (If tests fail, no jar)
  • Etc…

Well for those that use it, Sponge may could provide a faster plugin deployment. As the source is available for review. And it is 100% sure that the shared jar, comes from the given source.

1 Like

Source availability means nothing. Take as an example the recent findings against Intel over fudging performance figures for the Pentium 4. The test benches used to generate those figures were compiled using an Intel supplied compiler which faked the numbers in Intels favour. When the actual applications source was compiled using an independent compiler the figures were totally different.
Intel now has to refund $15 to everyone who purchased a Pentium 4.

1 Like

Another benefit:

  • Not a pain in the ass to build someone else’s project

I cry everytime I want to build someone’s project and all I see is a src folder. Godspeed if they also have many dependencies on top of that that aren’t in the project itself.

but yeah, now that I’ve used maven long enough I find that even creating a new maven project is a lot faster than creating an empty source project, adding libraries (multiple menu clicks), creating an output artifact (even more clicks), and so on. With maven I can just copy/paste most things from another pom and I’m set :^)

1 Like

Factions … . This was his response for using maven:

Oh please get some perspective. Did you pay for it? I code free software and you complain because I don’t live up to your standards? :3

Hey wow, Dit factions got a POM recently? Wasn’t expecting that :open_mouth:.

Most people cannot build sources. An easy way to pretend to have a non malicious plugin is to release source, but also say “CLICK HERE TO DOWNLOAD; DOES NOT REQUIRE KNOWLEDGE OF COMPILING”

Bam, now you distribute your infected plugin and most devs will just look at the source code online and see a friendly plugin.

If someone catches you, just create a bunch of accounts claiming to be devs and be like “no”.

edit: Also you could post the MD5s of your jar and say “This verifies that it is not infected.” Most of your plugin’s users won’t know what this means, so they’ll just assume its safe. Social engineering. Stay careful…

1 Like

The developer of factions and Mcore is so ignorant to the fact that people want to be able to extend his plugins without wasting time downloading dependencies. Maven isn’t that hard to setup tbh, and it’s so much simpler to manage dependencies.


OK I get it that using Maven would benefit me in many ways. Would someone be willing to share a link to an easy tutorial to Maven & Eclipse. By “easy” I mean one targeted to a person who’s never really used any sort of a tool like this. (I remember back in 90’s using makefiles for building C projeccts but not really much).

Hope it is easy enough: How to setup maven with sponge!.

Seems easy enough, but I noticed Sponge uses Gradle, not Maven. Since I am to learn a new tool anyway, I think it would be more benefitial for me to try and take Gradle, rather than Maven into use.

IF we do need human check, I volunteer as someone to check.

Sorry, but I highly doubt that they will accept unexperienced developers to do the inspecting.

Agreed<Yah more stuff no one can read!!! party!!!