Security vulnerability brought by non-check inventory service
From OpenSimulator
(Difference between revisions)
(→implementation) |
(→Problem) |
||
| Line 14: | Line 14: | ||
== Problem == | == Problem == | ||
| + | |||
| + | With the following conditions, by using this security hole, I can simply take over the full control(CRUD) of other user's inventory. | ||
| + | # InventoryServer is exposed to the public. | ||
| + | # I know the user's firstname, lastname | ||
| + | (OSGrid.org satisfies the conditions) | ||
== Solution == | == Solution == | ||
== Implementation == | == Implementation == | ||
Revision as of 07:31, 22 July 2008
Contents |
Agenda
To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:
- How to enable foreign user login - Authentication
- (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
- Security
- This is discussed in this page
To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:
Problem
With the following conditions, by using this security hole, I can simply take over the full control(CRUD) of other user's inventory.
- InventoryServer is exposed to the public.
- I know the user's firstname, lastname
(OSGrid.org satisfies the conditions)
