Recently two exploits have been brought to our attention which are both very severe.
MapTool versions 1.7 and earlier are vulnerable to hackers who can use the exploits to access your files / run programs on a computer running a server even if you have a password set. The latest version of MapTool 1.8 has fixed these exploits, WE ADVISE EVERYONE TO UPGRADE AS SOON AS POSSIBLE.
DOWNLOAD LINKS TO VERSIONS EARLIER THAN 1.8 HAVE BEEN REMOVED AND ALL ACCESS TO THE RPTOOLS REGISTRY WILL BE LIMITED TO VERSION 1.8 AND NEWER.
Below we address (what we expect to be) the main three topics:
If you really don’t want to change
If you insist on using an older version, you can do things to protect your MapTool server:
- You can use the Direct Connect option; this is still risky since hackers scan for vulnerable IP addresses all the time. You can mitigate the risk by creating a whitelist through the router that allows only certain IP addresses to connect. Not all routers will support this option.
- You can disconnect from the internet or block all incoming internet traffic and use your personal LAN (connect via the LAN tab).
- You can create a VPN for your server and the other clients (also connecting via the LAN tab).
If you’re running into issues
We expect some macros may run into trouble when used in the new version. If you run into issues due to this upgrade:
- paste a link to a downloadable version of the framework (either to a Discord post or a forum post), and
- give clear instructions on what is needed to recreate the issue and with which MT version it does work.
Why now, why this
We are aware that this will force you and your players to upgrade (if you're using the registry) which will bring its own hassle with it and we are sincerely sorry for that, but we don't see any other way. You might wonder about why now and why so rigorous: all complex software contains exploitable parts, if the software is properly written and managed then the risk of someone finding and abusing this, is very small (to give you an idea: this potential exploit remained 10 years undiscovered). HOWEVER, as soon as the exploit is found and fixed in open source software (which is the case for MapTool), anyone can check what has been changed in the code and immediately identify the exploit and use it!! So it automatically becomes a huge risk. Hence, it becomes our responsibility to mitigate this risk as much as possible, leading to this course of action.
Download link: https://github.com/RPTools/maptool/releases/tag/1.8.3