GHSA-j5qg-w9jg-3wg3: 
PHP vulnerability analysis and mitigation

A security vulnerability (GHSA-j5qg-w9jg-3wg3) was discovered in PocketMine-MP versions prior to 4.0.3, affecting the operator (op) permission system. The vulnerability allowed players to make themselves impossible to de-op through commands by adding their name to ops.txt with uppercase letters. This issue was originally reported in iTXTech/Genisys and was patched in PocketMine-MP version 4.0.3 (GitHub Advisory).

The vulnerability stems from how operator permissions were checked using Config->exists() with lowercase=true parameter. When a player's name was added to ops.txt with uppercase letters, the deop command would only remove the lowercase version of the name, leaving the uppercase version intact. This occurred because the permission check would match the lowercase version, but the actual removal operation wouldn't affect the uppercase entry (GitHub Advisory). The vulnerability has been assigned a CVSS score of 3.3 (Low severity) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

The vulnerability allowed players to maintain operator privileges even after administrators attempted to remove them through the deop command. For example, if a player named 'PotterHarry98' was listed in ops.txt, using the command 'deop PotterHarry98' would only remove 'potterharry98' from ops.txt while leaving 'PotterHarry98' intact, effectively maintaining their operator status (GitHub Advisory).

The vulnerability was patched in PocketMine-MP version 4.0.3. For affected versions, administrators can manually remove the problematic entries from the ops.txt file as a workaround. The permanent fix implemented in version 4.0.3 modifies the operator removal process to check for and remove entries regardless of letter case (GitHub Advisory, PocketMine Commit).