On Mon, Dec 20, 2010 at 03:35:14PM +0200, Toni Ruottu wrote:
Merry Christmas time!
This time I wrote a script for auditing security of Minecraft. The
Minecraft multiplayer server has an "insecure mode". When running in
this mode the server does not verify usernames against minecraft.net.
Running the server in insecure mode makes it possible to play the game
offline despite the authentication server being unreachable. As a
side-effect the game allows any player to enter the game with any
username, even ones registered to other users. See
for details. Minecraft multiplayer server admins can run the attached
minecraft-auth NSE script against their online servers to make sure
they are not running in the "insecure mode".
Thanks Toni. I've added the script. After I read that link, I decided to
take the script out of the "vuln" category and put it in "auth". Does
that sound right? I guess this could be a vulnerability in the situation
you described, but is it more likely that this is just a configuration
decision made by the admin?