Security vulnerability brought by non-check inventory service
From OpenSimulator
Contents |
Agenda
To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:
- How to enable foreign user login - Authentication
- (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
- Security
- This is discussed in this page
To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:
Problem
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
- InventoryServer is exposed to the public.
- user's UUID is given
Simply describe in the following figure:
- InventoryServer is a normal http server, the normal way to use it is:
- user get the authentication from UserServer
- user control its inventory through RegionServer
- But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
- So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.
And AvatarPortability needs a public inventory server, so we have to make a secure one.
Solution
- every inventory operation packet contains a "session_id" field, but it is never used.
- so, a secure inventory service could be like this
- "session_id" is a important information, that is(should be) only transfered in a login session.
- "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
- method, such like "get_agent_by_uuid" is very dangerous.
Configuration
- RegionServer side
- OpenSim.ini
- InventoryServer side
- InventoryServer_Config.xml