Security vulnerability brought by non-check inventory service

From OpenSimulator

(Difference between revisions)
Jump to: navigation, search
(implementation)
(Problem)
Line 14: Line 14:
  
 
== Problem ==
 
== Problem ==
 +
 +
With the following conditions, by using this security hole, I can simply take over the full control(CRUD) of other user's inventory.
 +
# InventoryServer is exposed to the public.
 +
# I know the user's firstname, lastname
 +
(OSGrid.org satisfies the conditions)
  
 
== Solution ==
 
== Solution ==
  
 
== Implementation ==
 
== Implementation ==

Revision as of 07:31, 22 July 2008

User:Lulurun

Contents

Agenda

To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:

  1. How to enable foreign user login - Authentication
  2. (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
  3. Security
    • This is discussed in this page

To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:

Problem

With the following conditions, by using this security hole, I can simply take over the full control(CRUD) of other user's inventory.

  1. InventoryServer is exposed to the public.
  2. I know the user's firstname, lastname

(OSGrid.org satisfies the conditions)

Solution

Implementation

Personal tools
General
About This Wiki