Security vulnerability brought by non-check inventory service
From OpenSimulator
(Difference between revisions)
(→Problem) |
(→Problem) |
||
Line 15: | Line 15: | ||
== Problem == | == Problem == | ||
− | With the following conditions, | + | With the following conditions, one can simply take over the full control(CRUD) of other user's inventory. |
# InventoryServer is exposed to the public. | # InventoryServer is exposed to the public. | ||
− | # | + | # user's UUID is given |
− | + | ||
+ | And [[Avatar_portability_version_2|AvatarPortability]] needs a public inventory server, | ||
+ | so we have to make a secure inventory sevice. | ||
== Solution == | == Solution == | ||
== Implementation == | == Implementation == |
Revision as of 08:03, 22 July 2008
Contents |
Agenda
To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:
- How to enable foreign user login - Authentication
- (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
- Security
- This is discussed in this page
To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:
Problem
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
- InventoryServer is exposed to the public.
- user's UUID is given
And AvatarPortability needs a public inventory server, so we have to make a secure inventory sevice.