Security vulnerability brought by non-check inventory service

From OpenSimulator

Revision as of 07:31, 22 July 2008 by Lulurun (Talk | contribs)

Jump to: navigation, search

User:Lulurun

Contents

Agenda

To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:

  1. How to enable foreign user login - Authentication
  2. (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
  3. Security
    • This is discussed in this page

To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:

Problem

With the following conditions, by using this security hole, I can simply take over the full control(CRUD) of other user's inventory.

  1. InventoryServer is exposed to the public.
  2. I know the user's firstname, lastname

(OSGrid.org satisfies the conditions)

Solution

Implementation

Retrieved from "http://opensimulator.org/index.php?title=Security_vulnerability_brought_by_non-check_inventory_service&oldid=6840"
Personal tools
General
About This Wiki