Yeah, everything logs in strtolower, even ops and bans. People can simply bypass anything if one letter in their username is changed. My ign is minijaham, and I had op. If someone with name Minijaham came on, they would have op as well. What the actual fu*k is this? My server was griefed and everyone had access to op. How do you fix this?
you've shared this exploit to people on github and now on the forums, now more people will try to grief servers including yours
Isn’t it partially on PMMP’s development team as well? The issue’s been already known and the team was aware of it. Even simple plugins can solve it but they haven’t done anything even though it seems like “security” is important to them.
Sharing an exploit on a public forum instead of PMMP's secvun email is an absolutely stupid idea. After someone shared this exploit, it spread like wildfire and now servers are getting shitted on. People are even selling accounts related to this exploit. This is exactly why secvuns should be kept private until fixed.
This indeed is as of now I think about it. Too bad though, the issue’s been around for ages, and I blame both Microsoft and PMMP dev team’s incompetence about the situation/issue.
If you can find a better solution to fix this problem without extending the server's functionallity (etc adding a password system), go ahead. The PMMP dev team (which litteraly almost only Dylan), is not incompetent and is already trying to find a solution while not using those types of solution, so you can duck off with the 'incompetence of the PMMP dev team'