We have had several inquiries lately about the IRC channels #bukkit and #bukkitdev . We do not run those channels nor do we have any control over them. If you need to reach Curse staff the IRC channels are not the place to do so unless you cannot reach the forums at all.
Forum rules may not apply on the IRC channels. Make sure you are aware of the channel rules and abide by them. If you don't abide by the channel rules, messaging Curse staff will not work for appealing a ban. We do not run or control the IRC channels.
Again the IRC channels are run by former staff and community volunteers. Current staff do not set the rules cannot help you if you break them.
Today, it was brought to my attention that the plugin "SuperString" had slipped past us and contained malicious code. This plugin, and the author, have both been removed from DBO. If, at this time, you are one of those that have downloaded this plugin, please be warned that version 1.1 contains the malicious code.
Over the last few months, we have caught more than a dozen new plugins uploaded with malicious code. However, no system is perfect and we miss some. Anyone that says you can catch such code all of the time, would be straight lying. This is where the community helps play in to the protection equation.
As much as the community relies on us to help ensure a safer place to download their addons, modifications, and various plugins, we also rely on the community's feedback and help to report the things we miss. Instead of a blind hosting system like many other sites, we use...
Tonight we've been made aware of a decompiler vulnerability that allows people to effectively hide sections of code. This has been reported to both Procyon and Luyten. This may also affect other decompilers.
Unfortunately due to this we will be not be processing new files until a fixed or replacement decompiler can be found.
As of right now there is no known malicious code on DBO. However, due to the nature of this decompiler shortcoming we are unable to know conclusively.
A big thanks to korikisulda for bringing this to our attention.
Edit by Zeldo:
Korikisulda has posted a much more detailed post about how this works for those that are wondering. You can find it here:...
Recently a plugin named Magix was uploaded to the site. This plugin had an exploit in it wherein an image file was used to add extra javascript beyond the code in the plugin itself. That could allow for arbitrary opping on a server. Multiple reviews of the project by our staff failed to catch it, and for that mistake we're very sorry.
We have adapted our review process to look for this kind of exploit in the future. Unfortunately no matter how well we review plugins people will try and find new creative ways to add malicious content.
The plugin has been removed and the author banned.
If you downloaded and are using Magix, please remove it from your server.
Again we apologize for missing the exploit when checking the code.