Exploit has been discovered that allows lecterns to be placed that can run commands in the books.
I will not explain how to create one (for obvious reasons) but it's possible to create a lectern that, for example,
would, when clicked, run a command like /ban (insert player of choice). That click event could be tied to a harmless seeming piece of text that says something like "click for /spawn" since it seems like a fun little test. Definitely very broken, admins please don't click on any text in a book in a lectern since there is no warning and you can't tell if there is a malicious command there or not. (If you want to be extra careful just don't open books from lecterns at all).
Lectern Exploit
Please Note: The TotalFreedom Forum has now been put into a read-only mode. Total Freedom has now closed down and will not be returning in any way, shape or form. It has been a pleasure to lead this community and I wish you all the best for your futures.
-
-
The easy solution is to this exploit is quite simple: use your common sense. Don't click in any books. You can use .viewnbt in Wurst to view an item's NBT. If the item contains something like run_command, check the value for anything malicious.
-
I saw an OP today with a lectern and the server crashed.. this thread now clears up what I saw. Thanks for posting this.
-
-
Books can now run any command you have perms for, so be very, VERY careful with them. Also don't abuse this, you will get punished for malicious exploiting.
-
It's a good thing this thread was made because let's be honest here I'm the type of idiot that would click a book and run kicknoob.
-
-
btw if you use meteor client you can use .nbt get (does the same thing as .viewnbt in wurst) so you can see if there are any malicious commands in the nbt
-
-
-
-
-
It appears somebody made a book that uses /mail to send me an excerpt of the fanfiction.
Dear god.
-
↩ videogamesm12 I love these books
-
↩ videogamesm12 Who would do that? wtf
-
↩ videogamesm12 @"Folfy_Blue"#356 did this btw
-
↩ videogamesm12 caleb calls women your majesty pass it on
-
↩ videogamesm12 for staff and players who dont used hacked clients, you can take the book from the lectern and use /book while holding it, iirc it should be broken but show what it really does, may be wrong tho
-
↩ videogamesm12 holy fucking shit why would someone create this
-
wild1145
July 17, 2022 at 1:44 PM Moved the thread from forum Imported from Flarum to forum Bug Reporting.