[Opensim-dev] Important OpenSimulator Security update.
Frisby, Adam
adam at deepthink.com.au
Wed Nov 12 05:15:50 UTC 2008
Just a note, you need to make TWO edits to OpenSim.ini.
One for XEngine, one for dotnetengine - please make both changes.
Adam
> -----Original Message-----
> From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
> bounces at lists.berlios.de] On Behalf Of Teravus Ovares
> Sent: Tuesday, 11 November 2008 8:05 PM
> To: opensim-dev
> Subject: [Opensim-dev] Important OpenSimulator Security update.
>
> Greetings everyone,
>
> Up until recently, the c#,vb,js compilers were enabled by default in
> the OpenSim.ini.example.
>
> A friend pointed out that many public regions exist where they are
> still enabled.
>
> Here's the deal. Those script compilers have access to static methods
> available in their associated libraries and are a huge security risk
> unless you've significantly hardened the underlying operating system
> running them.
>
> The fix is simple. Unless you've taken steps to harden your
> underlying operating system by sandboxing the simulator, do not enable
> those compilers on a public region.
>
> To turn them off, simply open up your OpenSim.ini and search it for the
> line;
> AllowedCompilers=lsl,cs,js,vb
>
> There are two of them. One for DotNetEngine. One for XEngine
>
> Simply change them to;
> AllowedCompilers=lsl
>
> After that, you will no longer be vulnerable.
>
> Please be aware as to the seriousness of this issue.
>
> If you don't take steps to ensure your OpenSimulator installation is
> secure. With a completely un-sandboxed simulator and cs,js, or vb
> enabled, someone can take complete control over the underlying
> operating system with a specially designed script.
>
> Best Regards
>
> Teravus
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list