So i love all the plugins i have i have every plugin except hide and anticheat. If i need help or support with the plugins the staff team responds to me in under 1minute. I would recomend the plugins in you want a premium expirience.
Bought this for my server after having issues with Themis constantly flagging people for no apparent reason. Those issues are now mostly gone but sometimes people get kicked for using spears and/or riding players. Other than that there haven't been a ton of major issues. Works pretty well.
You can open ticket on our Discord and share your logs, so we can check if it's something that can be improved with configuration or if the change is needed in Themis itself.
The plugin for me doesnt work. im on 1.21.11. the discord hasnt gave me a license yet. And theres no auto generated folder for me so I can write the license. I need help. The discord server is taking forever.
Hey
The plugin does not require any license at all, so thereās nothing you need to enter or generate
If the plugin shows red in /plugins and no folder is created, it means the plugin is failing to load, not a license issue. Please check your server console for errors that will tell exactly whatās wrong.
Also, you opened the wrong ticket earlier which delayed things a bit, and support timing can vary due to timezones.
Weāre here to help
Please send your console error and weāll fix it quickly
All I can say is thank you so much Char, for your amazing work, for your patience, for make part of the best minecraft templates for stores.. And I hope just good words and good times for you. Boona is really an outstanding tebex theme, with alot of customisation available and a really great Support team!
It may work as it is but i identified multiple potential security issues (around 11) total found and i do not recommend, unless only in testing enviroment unless fixed. However, I am not making any accusations. The extension does not clearly state whether it is secure or not, but it does claim that āthe code includes both fallback mechanisms and security featuresā which naturally gives buyers a level of trust and expectation regarding its safety.
The SSO secret key gets exposed in plain URL query strings (visible in logs, browser history, proxies). Also, redirect URLs from the panel are never validated, meaning a compromised panel could redirect your users anywhere. Anyone who can see server logs, network traffic, or even your browser history can steal that key and log in as any user on your panel.
The extension blindly trusts whatever URL the panel tells it to redirect to. If someone hacks your panel, they can make the "Manage Server" button send your customers to a fake/phishing website instead.
If the panel returns a webpage instead of proper data, the extension tries to extract a redirect link from the raw HTML. This is dangerous because it trusts whatever the panel says without checking it.
If a customer can set a custom server name, that name goes straight to Pterodactyl with zero filtering. This could allow someone to inject malicious content that appears in your panel dashboard.
When a server is created, egg variables (like DATABASE_PASSWORD, ADMIN_PASSWORD) can be overridden by whatever is in the order settings, meaning a clever customer could potentially manipulate sensitive server configuration values at order time.
The extension never explicitly requires a valid SSL certificate when talking to your panel. If someone intercepts traffic between Paymenter and Pterodactyl (man-in-the-middle attack), they could read or modify API calls including your admin API key.
If someone enters -1, 0, or a non-number as a port in the port array, it goes straight to the API without any check. This could cause unexpected behavior or be exploited to mess with port allocation.
The extension writes user IDs, panel URLs, and full error stack traces to your log files. If anyone gains read access to your logs (a hacker, a disgruntled employee), they get a detailed map of your infrastructure.
Server ID guessing, the error messages behave differently depending on whether a server exists or not. A bad actor could loop through IDs and figure out exactly which service IDs have active servers on your panel.
The CPU pinning field (e.g. 0,2-4) is validated on the settings form, but when actually creating the server that value is used without being checked again. Someone bypassing the form could send garbage values directly to the API.
If two server creation requests for the same order fire at the same time (e.g. a double-click or a billing glitch), both could try to create the same server simultaneously and cause errors or duplicate entries.
Some issues are catched from the Pterodactyl panel directly, however Pterodactyl does NOT guarantee it will stay like that forever, and the code may change at any time.
Overall the SSO implementation is particularly concerning, transmitting secrets via GET parameters is a basic security mistake that exposes credentials to anyone with access to server logs or network traffic.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.