Inability to de-op players if listed in ops.txt with non-lowercase letters

Impact

Originally reported in iTXTech/Genisys#1188

PotterHarry98
potterharry98

deop PotterHarry98

will remove potterharry98 from the ops.txt but not PotterHarry98.

Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match: https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449

This means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters.

Patches

4d37b79ff7f9d9452e988387f97919a9a1c4954e

Workarounds

This can be easily addressed by removing the offending lines from ops.txt manually.

For more information

If you have any questions or comments about this advisory:

Open an issue in pmmp/PocketMine-MP
Email us at team@pmmp.io

Published: Dec 16, 2021
Updated: Apr 14, 2023
GHSA: GHSA-j5qg-w9jg-3wg3
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
pocketmine / pocketmine-mp	-	4.0.3

Vulnerability Database

Inability to de-op players if listed in ops.txt with non-lowercase letters

Impact

Patches

Workarounds

For more information

Deep Security Visibility Without the Complexity