Background
Cmdr is an incredibly powerful console system. Through the var and var= (varSet) commands, it enables for information to be saved. This information can be saved on a user-specific or global (all users) basis.
Variables are used for things like refresh commands (the built-in refresh command is an alias for var= .refresh_pos ${position $1{player|Player}} && respawn $1 && tp $1 @${{var .refresh_pos}}). An additional feature that variables use is 'initialisation scripts'.
The vulnerability and its impact
Initialisation scripts enable for users to save commands which can then be executed whenever they join. This may be useful for things like setting preferences, giving tools to themselves when joining, etc. depending on the game.
Until v1.12.0, Cmdr also supported global initialisation scripts; this allowed any user (with access to the var= command) to set commands that would be ran when any player with access to the var command would join. These commands would run as that user, including with any permissions held.
The impact of this vulnerability depends on your game and the type of commands you have. Imagine a game with a give_players_money command only accessible to administrators, but the var commands locked to moderators. A rogue moderator could set the initialisation script to give_players_money * 1000000 giving all players six figures of money whenever an administrator joins.
Am I at risk?
Your game may be at risk of this vulnerability if you have the var and var= commands and are using version 1.11.0 or older.
If your game faces a material risk from this vulnerability depends on the way you use Cmdr, the permissions you set via hooks, and the types of commands you have and how they work.
You should read the above background and vulnerability information to assess if your game is at risk.
The level of risk for this vulnerability range from none at all to extreme, depending on how your game has Cmdr set up.
Mitigation
1. Upgrading to v1.12.0
v1.12.0 includes a number of bug fixes and quality of life improvements. It also removes global initialization scripts, which is where this vulnerability arises.
2. Disabling the var and var= commands
If your game does not use variables or the default refresh alias (for instance, because it has a bespoke refresh command), then you can safely disable the var and var= commands. You can do this either by passing a filter to RegisterDefaultCommands or through hooks.
3. Disabling global initialization scripts without
Through a BeforeRun hook, you can inspect the contents of commands. You could use this to block var and var= commands where the first argument is $init (the variable used to store the global initialization script).
This is a complex solution; if you're unsure of how to do this, then you should consider one of the first two solutions. This option exists for games which - for whatever reason - cannot upgrade and also rely on the var and var= commands.
Getting support
Imaginary Menagerie is the official server for RoVer, Cmdr, and other of evaera's projects. This server has a cmdr-help channel which can be used for getting help with using Cmdr.
This server also has cmdr-announcements and cmdr-development (for the development of the Cmdr project itself) channels which you may find of interest.
noatblok Reporter
autonordev Remediation developer
Background
Cmdr is an incredibly powerful console system. Through the
varandvar=(varSet) commands, it enables for information to be saved. This information can be saved on a user-specific or global (all users) basis.Variables are used for things like refresh commands (the built-in refresh command is an alias for
var= .refresh_pos ${position $1{player|Player}} && respawn $1 && tp $1 @${{var .refresh_pos}}). An additional feature that variables use is 'initialisation scripts'.The vulnerability and its impact
Initialisation scripts enable for users to save commands which can then be executed whenever they join. This may be useful for things like setting preferences, giving tools to themselves when joining, etc. depending on the game.
Until v1.12.0, Cmdr also supported global initialisation scripts; this allowed any user (with access to the
var=command) to set commands that would be ran when any player with access to thevarcommand would join. These commands would run as that user, including with any permissions held.The impact of this vulnerability depends on your game and the type of commands you have. Imagine a game with a
give_players_moneycommand only accessible to administrators, but the var commands locked to moderators. A rogue moderator could set the initialisation script togive_players_money * 1000000giving all players six figures of money whenever an administrator joins.Am I at risk?
Your game may be at risk of this vulnerability if you have the
varandvar=commands and are using version 1.11.0 or older.If your game faces a material risk from this vulnerability depends on the way you use Cmdr, the permissions you set via hooks, and the types of commands you have and how they work.
You should read the above background and vulnerability information to assess if your game is at risk.
Mitigation
1. Upgrading to v1.12.0
v1.12.0 includes a number of bug fixes and quality of life improvements. It also removes global initialization scripts, which is where this vulnerability arises.
2. Disabling the
varandvar=commandsIf your game does not use variables or the default
refreshalias (for instance, because it has a bespoke refresh command), then you can safely disable thevarandvar=commands. You can do this either by passing a filter toRegisterDefaultCommandsor through hooks.3. Disabling global initialization scripts without
Through a
BeforeRunhook, you can inspect the contents of commands. You could use this to blockvarandvar=commands where the first argument is$init(the variable used to store the global initialization script).This is a complex solution; if you're unsure of how to do this, then you should consider one of the first two solutions. This option exists for games which - for whatever reason - cannot upgrade and also rely on the var and var= commands.
Getting support
Imaginary Menagerie is the official server for RoVer, Cmdr, and other of evaera's projects. This server has a cmdr-help channel which can be used for getting help with using Cmdr.
This server also has
cmdr-announcementsandcmdr-development(for the development of the Cmdr project itself) channels which you may find of interest.