essentialsx.net Open in urlscan Pro
2606:4700:3032::ac43:d119  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Community Wiki Downloads


PSA: DO NOT USE MOHIST.


A WARNING ABOUT MALICIOUS BEHAVIOUR AND THE DANGERS OF RUNNING UNTRUSTED CODE.

Note: this PSA is not about whether or not we will help you if you run Mohist.
That question is answered on the official EssentialsX downloads page and
changelogs.
This PSA is about security and dangerous behaviour by the Mohist project.

It has come to our attention that as of 10th April 2021, Mohist tricks users
into deleting official plugin jars and installing unofficial modified builds.
Not only is this behaviour shady, but it also poses significant risk to users
who don't know what software they're running.

As a result, we strongly recommend that you do not use or support the Mohist
project in any way going forwards. We cannot guarantee the safety or
functionality of unofficial builds of EssentialsX, and you should avoid using
Mohist where possible. There are countless alternatives that are safer and more
functional, and these alternatives are listed at the bottom of this page.


CONTEXT

FORGE, BUKKIT AND HYBRID SERVERS

For almost as long as Forge and Bukkit have co-existed, there have been several
projects which aim to allow Forge mods and Bukkit plugins to run alongside each
other on the same server. The issue with this, however, is that Bukkit was never
designed to support mods, and Forge was never designed to work with the rigid
Bukkit API. This means that generally these forks require considerable
modifications to the CraftBukkit and Forge server code, and if done wrong this
leads to both plugins and mods working in unexpected ways.

MOHIST AND THE BUKKIT API

However, over the past year, instead of trying to implement the Bukkit API
properly, the Mohist project has chosen to make several breaking changes to the
CraftBukkit code patches it uses. These changes fundamentally break how the
Bukkit API is designed to function:

 * Injecting block/item types added by Forge into the Bukkit Material enum
   twice:
   Some mods add blocks/items with the same name as vanilla or other mods.
   Mohist injects Forge items and blocks into Bukkit's Material class, but
   somehow managed to register the same material more than once. Enums in Java
   should only contain one instance per identifier, and this means any plugin
   trying to interact with items or blocks is prone to breaking with no warning.
   This also means any plugins that register default permissions for materials
   will break.
 * Re-creating the Bukkit Player object:
   Bukkit's Player interface allows plugins to access online players on the
   server, and is a core part of the Bukkit API. On a standard CraftBukkit-based
   server, the Player implementation is kept around while the player is online
   even if the player entity changes (ie when it dies), and updates itself
   accordingly based on what happens in the underlying Mojang code.
   However, Mohist changes this behaviour so that the Bukkit Player is replaced
   every time the player dies, even though this class is supposed to wrap around
   the underlying player entity and update when it changes! This broke the
   majority of EssentialsX, as the Player we use becomes detached from the
   actual server whenever someone dies.

These changes (and likely others too) consequently break several plugins,
including but not limited to EssentialsX. Despite being warned that these are
breaking changes and will cause issues, the Mohist project has refused to fix
their implementation of Bukkit, and instead has employed further workarounds to
hide issues with plugins.

MOHIST'S DANGEROUS "PLUGIN CHECKER"

On 10th April 2021, Mohist added a "plugin checker", which scans for plugins
that Mohist breaks and shows the following message:



Not only is this message misleading (implying that EssentialsX is at fault when
the real issue is on Mohist's end), but it tricks users into deleting the
software they downloaded from a trusted source and running arbitrary code from
an unknown source, without telling the user what is wrong with the plugin they
downloaded, how the "correct version" is any better, or where the "correct"
version even originates from. Many users who see this prompt will not understand
that Mohist is downloading and running arbitrary modified code instead of the
official plugin jars they downloaded. Furthermore, this mechanism could very
easily be abused to download malware, hidden behind the names of other
well-known projects and using the excuse of "fixes".

There are several better ways the Mohist team can rectify their issues, but the
correct way is this: write a compliant Bukkit API implementation. Other similar
projects already achieve this, without relying on tricking users into
downloading and executing unknown code. Mohist's decision to mislead users into
downloading untrusted code shows that they do not care about the security of
their users.


ALTERNATIVES TO MOHIST AND HYBRID SERVERS

There are countless alternative hybrid servers that attempt to run Bukkit
plugins on top of Forge, but many suffer from similar incompatibilities as
Mohist does.

However, if you're running a 1.12.2 server, SpongeForge is a mature and
well-engineered solution which allows running a rich ecosystem of SpongeAPI
plugins alongside Forge mods. SpongeAPI is designed to support the nuances of
modded platforms, and in general Sponge plugins work seamlessly with Forge mods
- for example, Nucleus includes almost every feature of EssentialsX and more,
and is 100% compatible with mods. Many Bukkit plugins also have equivalent
Sponge ports, and some (such as LuckPerms) even allow you to use your existing
Bukkit data when you switch to Sponge.

For newer versions of Minecraft, SpongeForge currently isn't available. However,
there is a wide selection of server-side mods for Forge and Fabric that can
replace plugins, which you can find sites like on CurseForge and Modrinth. For
example, FTB Essentials for Forge includes features similar to EssentialsX,
while FTB Chunks allows for land claims and protection.

5,868,310 downloads across BukkitDev and SpigotMC
Downloads 5.87m downloads
View all changelogs
Latest release 2.19.4
Visit the build server
Jenkins b1372
4842 people chatting on Discord
Discord 4.8k online
Visit us on GitHub
GitHub 1332 stars
View the website source code
Website a4b3b90
Change the website theme



Website copyright © 2019-2021 EssentialsX Team, 2015-2021 EssentialsX wiki
contributors except where otherwise noted.

???