(cross posted from the
forums)
A vulnerability has been discovered in the Starbound server executable that allows writing non-arbitrary data to an arbitrary file that the user running the starbound_server executable has permissions to write to.
The mechanics of this vulnerability involves incorrectly validating sector names from the client.
This vulnerability affects versions Enraged Koala and lower. It is fixed in the current unstable and the current nightly. To workaround this issue run the server under a heavily restricted user account. Unfortunately, it is still possible to denial of service attack a server using the workaround. Thanks goes to members of the ##starbound-modding IRC channel for bringing this issue to our attention.
A vulnerability has been discovered in the Starbound server executable that allows players to gain admin privileges if they have been in the same area as an admin user.
The mechanics of this vulnerability involves cloning the uuid of the admin player.
This vulnerability affects all current versions; however, has been fixed in our repository and any nightly version dated after Jan 9 should be immune. To workaround, un /admin yourself before logging out. If you have logged out as /admin the last time you logged out, simply log in and un /admin yourself and log out. This exploit only functions if were an admin the last time you logged out or you were an /admin the last time an automatic store was running and haven't logged out yet.
To find out if you are currently an admin you may type: "/whoami"
More specific technical details will be forthcoming after the next stable update.