Luanti Insecure Environment Access Control Bypass Vulnerability

A vulnerability in Luanti versions 5.0.0 prior to 5.15.2 allows unintended access to an insecure environment. If a mod is listed as secure.trusted_mods or secure.http_mods, a crafted mod can intercept requests to the insecure environment or HTTP API and gain access to them. This issue arises because the function 'getCurrentModName' can be manipulated by a malicious mod to override its return value, potentially leading to unauthorized access.

Impact

Exploitation of this vulnerability could result in unauthorized access to the insecure environment and HTTP API, allowing a malicious mod to intercept and manipulate requests.

Reproduction

To reproduce this vulnerability, load a malicious mod that can modify the 'world.mt' file to enable itself. Ensure that at least one mod is listed as 'secure.trusted_mods' or 'secure.http_mods'. The malicious mod can then intercept requests to the insecure environment or HTTP API.

Remediation

Users can update to Luanti version 5.15.2 or later, or clear the 'secure.trusted_mods' and 'secure.http_mods' settings to disable access for all mods.