[Opensim-dev] Important OpenSimulator Security update.
Teravus Ovares
teravus at gmail.com
Wed Nov 12 04:05:22 UTC 2008
Greetings everyone,
Up until recently, the c#,vb,js compilers were enabled by default in
the OpenSim.ini.example.
A friend pointed out that many public regions exist where they are
still enabled.
Here's the deal. Those script compilers have access to static methods
available in their associated libraries and are a huge security risk
unless you've significantly hardened the underlying operating system
running them.
The fix is simple. Unless you've taken steps to harden your
underlying operating system by sandboxing the simulator, do not enable
those compilers on a public region.
To turn them off, simply open up your OpenSim.ini and search it for the line;
AllowedCompilers=lsl,cs,js,vb
There are two of them. One for DotNetEngine. One for XEngine
Simply change them to;
AllowedCompilers=lsl
After that, you will no longer be vulnerable.
Please be aware as to the seriousness of this issue.
If you don't take steps to ensure your OpenSimulator installation is
secure. With a completely un-sandboxed simulator and cs,js, or vb
enabled, someone can take complete control over the underlying
operating system with a specially designed script.
Best Regards
Teravus
More information about the Opensim-dev
mailing list