Add message about JNDI/Haxr

2021-12-31 15:52:49 -05:00 · 2021-12-31 15:52:49 -05:00 · 35a0faaec3
parent 7d232b6e00
commit 35a0faaec3
1 changed files with 61 additions and 2 deletions
--- a/FAQ.md
+++ b/FAQ.md
@ -27,9 +27,68 @@ progressloginterval: 100
 ```
 I recommend setting this to 1,000 for mid-size server maps and 10,000 or greater for large server maps. You will need to restart your server for this to take affect. 

-###  Q: What does 'Invalid plugin.yml' mean
+###  7) What does 'Invalid plugin.yml' mean

-A: Joined with 'Could not load x plugin' and 'ZipException' - this usually means that the file was downloaded badly or corrupted in some way.
+**A)** Joined with 'Could not load x plugin' and 'ZipException' - this usually means that the file was downloaded badly or corrupted in some way.

 Re-download a fresh version and confirm it looks complete. This is a good time to check what the latest version is too

+###  8) What are these weird `{jdni}` / `IaM5uchA1337Haxr-Ban Me!` messages I am getting from Dynmap?
+
+**A)** Some hacker online realized Dynmap webchat can be used to send messages to a Minecraft server log. These messages exploit a vulnerability called Log4J or Log4Shell. For sake a brevity these are exploits which allow hackers to run code on your server without your permission. If you haven't heard of these attacks recently here is [more reading](https://time.com/6128795/log4j-security-flaw/). If you are running the most up to date version of your server you are safe. I want to be very clear that Dynmap will not make you more vulnerable or protect you from this vulnerability. **The only way to protect yourself it to patch your minecraft server.** 
+If you want to make these messages go away you can disable the webchat by editing configuration.txt and commenting out all of the chat plugins
+<details><summary>Original (Click to expand)</summary> 
+
+```yaml
+  - class: org.dynmap.InternalClientUpdateComponent
+    allowwebchat: true
+  - class: org.dynmap.SimpleWebChatComponent
+    allowchat: true
+    # If true, web UI users can supply name for chat using 'playername' URL parameter.  'trustclientname' must also be set true.
+    allowurlname: false
+  - class: org.dynmap.ClientComponent
+    type: chat
+    allowurlname: false
+  - class: org.dynmap.ClientComponent
+    type: chatballoon
+    focuschatballoons: false
+  - class: org.dynmap.ClientComponent
+    type: chatbox
+    showplayerfaces: true
+    messagettl: 5
+    # Optional: set number of lines in scrollable message history: if set, messagettl is not used to age out messages
+    #scrollback: 100
+    # Optional: set maximum number of lines visible for chatbox
+    #visiblelines: 10
+    # Optional: send push button
+    # sendbutton: false 
+```
+
+</details>
+<details><summary>With all Chat Disabled (Click to Expand)</summary> 
+
+```yaml
+  - class: org.dynmap.InternalClientUpdateComponent
+#    allowwebchat: true
+#  - class: org.dynmap.SimpleWebChatComponent
+#    allowchat: true
+#    # If true, web UI users can supply name for chat using 'playername' URL parameter.  'trustclientname' must also be set true.
+#    allowurlname: false
+#  - class: org.dynmap.ClientComponent
+#    type: chat
+#    allowurlname: false
+#  - class: org.dynmap.ClientComponent
+#    type: chatballoon
+#    focuschatballoons: false
+#  - class: org.dynmap.ClientComponent
+#    type: chatbox
+#    showplayerfaces: true
+#    messagettl: 5
+#    # Optional: set number of lines in scrollable message history: if set, messagettl is not used to age out messages
+#    #scrollback: 100
+#    # Optional: set maximum number of lines visible for chatbox
+#    #visiblelines: 10
+#    # Optional: send push button
+#    # sendbutton: false
+```
+</details>