Security vulnerability brought by non-check inventory service

From OpenSimulator

Revision as of 09:03, 22 July 2008 by Lulurun (Talk | contribs)

Jump to: navigation, search

User:Lulurun

Contents

Agenda

To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:

  1. How to enable foreign user login - Authentication
  2. (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
  3. Security
    • This is discussed in this page

To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:

Problem

With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.

  1. InventoryServer is exposed to the public.
  2. user's UUID is given

And AvatarPortability needs a public inventory server, so we have to make a secure inventory sevice.

Solution

Implementation

Personal tools
General
About This Wiki