MapTool Vulnerability MT 1.7.0 and earlier - RPTools/maptool GitHub Wiki

Dear MapTool users,

Recently two exploits have been brought to our attention which are both very severe.

MapTool versions 1.7 and earlier are vulnerable to hackers who can use the exploits to access your files/run programs on a computer running a server even if you have a password set. Version 1.8.3 of MapTool has fixed these exploits.

WE ADVISE EVERYONE TO UPGRADE AS SOON AS POSSIBLE.

DOWNLOAD LINKS TO VERSIONS EARLIER THAN 1.8 HAVE BEEN REMOVED AND ALL ACCESS TO THE RPTOOLS REGISTRY WILL BE LIMITED TO VERSION 1.8 AND NEWER.

Below we address (what we expect to be) the main three topics.

If you really don’t want to change

If you insist on using an older version, you can do things to protect your MapTool server:

  • You can use the Direct Connect option; this is still risky since hackers scan for vulnerable IP addresses all the time. You can mitigate the risk by creating a whitelist through the router that allows only certain IP addresses to connect. Not all routers will support this option.
  • You can disconnect from the internet or block all incoming internet traffic and use your personal LAN (connect via the LAN tab).
  • You can create a VPN for your server and the other clients (also connecting via the LAN tab).

Despite these precautions, anyone allowed to connect to your server will still have access to abuse these exploits in the older versions of MapTool!

If you’re running into issues

We expect some macros may run into trouble when used in the new version. If you run into issues due to this upgrade:

  • paste a link to a downloadable version of the framework (either to a Discord post or a forum post), and
  • give clear instructions on what is needed to recreate the issue and with which MT version it does work.

We've opened up a channel in Discord (https://discord.gg/7RT6Nssr7Q) just for this purpose: mt-1-8-1-framework-issues

Why now, why this

We are aware that this will force you and your players to upgrade which will bring its own hassle with it and we are sincerely sorry for that, but we don't see any other way. You might wonder about why now and why so rigorous: all complex software contains exploitable parts, if the software is properly written and managed then the risk of someone finding and abusing this, is very small (to give you an idea: this potential exploit remained 10 years undiscovered). HOWEVER as soon as the exploit is found and fixed in open source software (which is the case for Maptool), anyone can check what has been changed in the code and immediately identify the exploit and use it!! So it automatically becomes a huge risk. Hence it becomes our responsibility to mitigate this risk as much as possible, leading to this course of action.