Problem Server Login exploit

[ZOMGForgotFace]

Some of you may have heard about the issue that recently, an exploit was found in servers. Even Minecraft vanilla servers.

The exploit was discovered in Minecraft 1.6, and I was wondering if by any chance, it effects FTB servers as well.

The huge issue I see with this, is the fact that we are several MC version back, so the updates that have fixed the issue do not pertain to us.

Does anyone know if this exploit effects us, and is there currently a fix?

 

[Cozza]

Assuming this is the exploit: http://www.planetminecraft.com/blog/psa-server-exploit-discovered-update-immediately/

md_5 posted a fix for it 4 days ago which spigot and craftbukkit have applied. I'm assuming this might affect MCPC servers as it uses loads of spigot stuff.

 

[agaricus]

This was actually bug in vanilla Minecraft (the "2013 auth exploit"), though Spigot was more susceptible:

During testing we found it was possible to replicate this exploit on a Spigot (versions 1082-1089) with a success rate of above 10%, while on vanilla/CraftBukkit servers the current exploit code had a success rate of less than 1%.

<1% chance of a login bypass is still a serious vulnerability. Mojang fixed it in 1.6.3/1.6.4 (or will fix it, someone may want to confirm - I haven't checked it personally, still on 1.5 myself..).

But what about us still on 1.5? I'm not aware of anyone backporting the fix to 1.5.x vanilla / Forge, perhaps someone else can comment.

Fortunately, MCPC+ 1.5.x does include the fix, imported from Spigot. As of this commit: https://github.com/MinecraftPortCen...48cd4e32a623db230c4b5834de9958ec490781#L1R111 - present in MCPC+ 1.5.x builds 640 and later, released on or after September 5th. So as long as you're running the latest MCPC+, you should be fine.