Security vulnerability brought by non-check inventory service
From OpenSimulator
(Difference between revisions)
(→RegionServer side) |
(→RegionServer side) |
||
| Line 32: | Line 32: | ||
inventory_server_url = http://127.0.0.1:8004 | inventory_server_url = http://127.0.0.1:8004 | ||
'''secure_inventory_server''' = true / false | '''secure_inventory_server''' = true / false | ||
| − | * if the inventory server specified by "inventory_server_url" is a "secure" inventory server,set "secure_inventory_server = true", | + | * if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached |
| − | * else, set secure_inventory_server = false | + | * else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests. |
| − | ** | + | ** Setting secure_inventory_server to false is only useful when you want your region server to connect to an '''old inventory server''' which does not expect a session_id. |
=== InventoryServer side === | === InventoryServer side === | ||
Revision as of 23:52, 11 August 2008
Contents |
Problem
With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.
- InventoryServer is exposed to the public.
- user's UUID is given
Simply describe in the following figure:
- InventoryServer is a normal http server, the normal way to use it is:
- user get the authentication from UserServer
- user control its inventory through RegionServer
- But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
- So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.
And AvatarPortability needs a public inventory server, so we have to make a secure one.
Solution
- every inventory operation packet contains a "session_id" field, but it is never used.
- so, a secure inventory service could be like this
- "session_id" is a important information, that is(should be) only transfered in a login session.
- "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
- method, such like "get_agent_by_uuid" is very dangerous.
Configuration
RegionServer side
- in OpenSim.ini, [Network] section,
inventory_server_url = http://127.0.0.1:8004 secure_inventory_server = true / false
- if the inventory server specified by "inventory_server_url" is a "secure" inventory server, set "secure_inventory_server = true". Then, inventory requests from the region server will have the user's session_id attached
- else, set "secure_inventory_server = false". In this case, session_id is not attached to inventory requests.
- Setting secure_inventory_server to false is only useful when you want your region server to connect to an old inventory server which does not expect a session_id.
InventoryServer side
- in InventoryServer_Config.xml,
session_lookup = true / false (* for the session_lookup please also refer the above picture.)
- if you want inventory server to validate the incoming session_id, set session_lookup = true
- else, set session_lookup = false
- this makes inventory server accept any request, just like before.
*NOTE*
- no matter session_lookup is true or false, new inventoryserver requires session_id in every inventory request. if you want your regionserver to connect to a new inventoryserver, you should always set secure_inventory_server = true in OpenSim.ini.
- here new inventoryserver means inventoryserver after svn revision 5600.
