Security vulnerability brought by non-check inventory service

Revision as of 08:11, 22 July 2008

To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:

How to enable foreign user login - Authentication
(If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
Security
- This is discussed in this page

To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:

With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.

Simply describe in the following figure:

InventoryServer is a normal http server, the normal way to use it is:
- user get the authentication from UserServer
- user control its inventory through RegionServer
But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.

And AvatarPortability needs a public inventory server, so we have to make a secure one.

@@ Line 25: / Line 25: @@
 *But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
 *So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.
+[[Image:secure_inventory_1.PNG]]
 And [[Avatar_portability_version_2|AvatarPortability]] needs a public inventory server,