PlugMan icon indicating copy to clipboard operation
PlugMan copied to clipboard

Published 20 hours ago verified publisher icon TheBlackEntity

Remove direct download command

Open neziw opened this issue 9 months ago • 2 comments

Dear plugin maintainer, I would like to suggest removing the direct download function from the plugin due to serious security issues and risk of attacks on servers.

Any person with OP permissions on the server or permissions to PlugManX can download an unverified plugin from any source and thus attack the server by loading a backdoor (I mean a plugin with code that can harm the server). This feature, in my opinion, should not be available in future versions of PlugManX. This change will increase security on servers that use PlugManX and thus prevent the previously mentioned attacks. There is no reason to remove the download feature from SpigotMC as it is a safer and verified source unlike direct download.

I hope that my request will be considered positively.

neziw avatar May 05 '24 19:05 neziw

This feature is disabled by default.

Meaning, a person with OP cannot download any plugins by default

Test-Account666 avatar May 05 '24 19:05 Test-Account666

I'll think about removing it though.

The feature is usually not useful anyway

Test-Account666 avatar May 05 '24 19:05 Test-Account666

Download command is gone

Test-Account666 avatar May 29 '24 10:05 Test-Account666