Exploits: Difference between revisions

Browse history interactively

← Older edit

Content deleted Content added

VisualWikitext

Revision as of 23:19, 18 August 2023 view source Telesphoreo (talk \| contribs) Bureaucrats, Interface administrators, lookupuser, Suppressors, Administrators 187 edits m Link to Scissors Tag: Visual edit ← Older edit		Latest revision as of 22:47, 4 September 2023 view source Video (talk \| contribs) Patrollers, File uploaders 171 edits No edit summary Tag: Visual edit: Switched
(11 intermediate revisions by 4 users not shown)
Line 1: [[File:OmegaTrack_flatlands_heatmap.png\|thumbnail\|Heatmap of player activity gathered from collected coordinates using Worldcom, a coordinate exploit that was patched in July 2023 but continued to be used on the server for an entire month afterwards]] TotalFreedom has had a long history of exploits being used both maliciously and harmlessly. Line 19 ⟶ 21: == 2020 == ===~~Moving_Piston~~Moving Piston=== Discovered in November 2020, the '''Moving Piston''' exploit is an exploit affecting only servers running Spigot and was subsequently abused in the subsequent months by taking advantage of a bug in Spigot that is caused when a tile entity (e.g. a chest) is overwritten with a ''moving_piston'' block by replacing the tile entity with WorldEdit or similar plugins that replace blocks. The server then crashes when it tries to fix the overwritten tile entity. It affected Minecraft 1.16.4 and eventually was patched. == 2021 == Line 28 ⟶ 31: == 2022 == ===Infinity Cart=== Infinity Cart was an exploit discovered ~~by the Moles~~ in March 2022 that abused a lack of validation in entity loot tables which caused affected servers to fail to remove entities with the exploit applied. When a server would attempt to remove the entities (whether it be by command or by the entity being in the void), the invalid loot table would cause an exception to be thrown and would either abort whatever was trying to remove it or outright crash the server. When the entity was put in the void at a world spawn, the server would effectively be sent into a crash loop because the Minecart would be loaded in as soon as it finished starting up. This exploit was initially patched by [[Community:Telesphoreo\|Telesphoreo]] in a private fork of Paper, which was later superseded by the [[Scissors]] project. ~~This~~It ~~exploit in~~was ~~particular~~what prompted the development team to begin work on ~~a fork of the Paper server software called [[~~Scissors~~]],~~ which became the foundation for exploit patches as the year progressed and more exploits were ~~patched~~discovered. === SilentTP === SilentTP, colloquially referred to as the first Nocom exploit, or just Nocom, was a text component that allowed for querying of a target player's position tag when resolved, even if they had TPToggle disabled in Essentials. This was added to [[DeviousMod]] in the form of a command allowing the user to automatically execute the exploit and teleport using Essentials to the target player's coordinates. Later, this was added to [[Community:SexiestBot\|SexiestBot]] in the form of an algorithm which queried the position of every player connected to the server, allowing for teleportation to any player without having to first install DeviousMod. This exploit was initially undiscovered for a few days, until [[Community:fyyv\|fyyv]] made a suggestion on the forums, detailing how it deliberately circumvented TPToggle, recommending the developers patch the exploit<ref>https://web.archive.org/web/20230726113259/https://totalfreedom.me/forum/thread/4096-prohibit-the-creative-nocom-exploit/</ref>. SexiestBot was banned when the suggestion was accepted, and was later unbanned once the SilentTP functionality had been completely removed. It was later patched fully in Scissors by [[Community:VideoGameSm12\|VideoGameSm12]]. === Worldcom ===