Security vulnerability brought by non-check inventory service
From OpenSimulator
(Difference between revisions)
												
			|  (→Configuration) | m (Robot: Cosmetic changes) | ||
| (12 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | __NOTOC__ | |
| − | + | {{Quicklinks}} | |
| − | + | <br /> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| == Problem == | == Problem == | ||
| Line 20: | Line 10: | ||
| Simply describe in the following figure: | Simply describe in the following figure: | ||
| − | *InventoryServer is a normal http server, the normal way to use it is: | + | * InventoryServer is a normal http server, the normal way to use it is: | 
| − | **user get the authentication from UserServer | + | ** user get the authentication from UserServer | 
| − | **user control its inventory through RegionServer | + | ** user control its inventory through RegionServer | 
| − | *But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer. | + | * But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer. | 
| − | *So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login. | + | * So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login. | 
| [[Image:secure_inventory_1.PNG]] | [[Image:secure_inventory_1.PNG]] | ||
| − | And [[ | + | And [[Avatar portability version 2|AvatarPortability]] needs a public inventory server, | 
| so we have to make a secure one. | so we have to make a secure one. | ||
| Line 37: | Line 27: | ||
| [[Image:secure_inventory_2.PNG]] | [[Image:secure_inventory_2.PNG]] | ||
| * "session_id" is a important information, that is(should be) only transfered in a login session. | * "session_id" is a important information, that is(should be) only transfered in a login session. | ||
| − | **"expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe. | + | ** "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe. | 
| − | **method, such like "get_agent_by_uuid" is very dangerous. | + | ** method, such like "get_agent_by_uuid" is very dangerous. | 
| == Configuration == | == Configuration == | ||
| Line 46: | Line 36: | ||
|   inventory_server_url = http://127.0.0.1:8004 |   inventory_server_url = http://127.0.0.1:8004 | ||
|   '''secure_inventory_server''' = true / false |   '''secure_inventory_server''' = true / false | ||
| − | * if the inventory server specified by "inventory_server_url" is a "secure" inventory server, | + | * if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached | 
| − | set "secure_inventory_server = true",  | + | * else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests. | 
| − | + | ** Setting secure_inventory_server to false is only useful when you want your region server to connect to an '''old inventory server''' which does not expect a session_id. | |
| − | * else, set secure_inventory_server = false | + | |
| − | **  | + | |
| − | + | ||
| === InventoryServer side === | === InventoryServer side === | ||
| * in InventoryServer_Config.xml, | * in InventoryServer_Config.xml, | ||
|   '''session_lookup''' = true / false |   '''session_lookup''' = true / false | ||
| − |   (* for  | + |   (* for session_lookup please also refer the picture above) | 
| − | * if you want inventory server to validate  | + | * if you want the inventory server to validate each incoming inventory request by session_id, set session_lookup = true | 
| * else, set session_lookup = false | * else, set session_lookup = false | ||
| − | **  | + | ** Setting session_lookup to false makes inventory server accept any request from any client. | 
| − | * NOTE | + | === *NOTE* === | 
| − | *  | + | * Regardless of whether '''session_lookup''' is true or false, '''new inventory server''' requires a session_id in every inventory request. If you want your region server to connect to a '''new inventory server''', you should always set '''secure_inventory_server = true''' in OpenSim.ini. | 
| + | ** Here '''new inventory server''' means inventory server after SVN revision 5600. | ||
Latest revision as of 21:11, 3 March 2012
[edit] Problem
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
- InventoryServer is exposed to the public.
- user's UUID is given
Simply describe in the following figure:
-  InventoryServer is a normal http server, the normal way to use it is:
- user get the authentication from UserServer
- user control its inventory through RegionServer
 
- But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
- So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.
And AvatarPortability needs a public inventory server, so we have to make a secure one.
[edit] Solution
- every inventory operation packet contains a "session_id" field, but it is never used.
- so, a secure inventory service could be like this
-  "session_id" is a important information, that is(should be) only transfered in a login session.
- "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
- method, such like "get_agent_by_uuid" is very dangerous.
 
[edit] Configuration
[edit] RegionServer side
- in OpenSim.ini, [Network] section,
inventory_server_url = http://127.0.0.1:8004 secure_inventory_server = true / false
- if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached
-  else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests.
- Setting secure_inventory_server to false is only useful when you want your region server to connect to an old inventory server which does not expect a session_id.
 
[edit] InventoryServer side
- in InventoryServer_Config.xml,
session_lookup = true / false (* for session_lookup please also refer the picture above)
- if you want the inventory server to validate each incoming inventory request by session_id, set session_lookup = true
-  else, set session_lookup = false
- Setting session_lookup to false makes inventory server accept any request from any client.
 
[edit] *NOTE*
-  Regardless of whether session_lookup is true or false, new inventory server requires a session_id in every inventory request. If you want your region server to connect to a new inventory server, you should always set secure_inventory_server = true in OpenSim.ini.
- Here new inventory server means inventory server after SVN revision 5600.
 










 
                
