[Opensim-dev] FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)
ajlduarte at sapo.pt
Fri Sep 30 15:24:24 UTC 2016
Thanks for this notification.
But this is a public mail list, so you already made this
Please use mantis to report security flaws.
you have there a option to set the report private. Please activate
Luckily all this set of flaws is already known by this list
subscribers, so no harm done.
Maybe you should also report to Linden Labs the flaw 1.
We do thank this notification and you are always welcome to join us
with the design and execution of a workable solution.
Leal Duarte ( Ubit )
From: opensim-dev-bounces at opensimulator.org
[mailto:opensim-dev-bounces at opensimulator.org] On Behalf Of Maxwell, Douglas
CIV USARMY RDECOM ARL (US)
Sent: Friday, September 30, 2016 13:28
To: opensim-dev at opensimulator.org
Subject: [Opensim-dev] FORMAL NOTIFICATION OF SECURITY FLAWS (Round 1)
This email serves as a formal notification of high priority security flaws
found in the Open Simulator code by the MOSES team to the Open Simulator
Developer. We are allowing 90 days for a response to the list outlined in
the paragraphs that follow before we publish technical specifics of these
vulnerabilities in a public venue. These vulnerabilities apply to both core
open simulator architecture and Hypergrid technology.
1. UUID of assets and session IDs are transmitted in plain text between
server and client.
2. Any HTTP call made from a script can be traceable to the host machine it
is calling from. A script can serve as a crude HTTP proxy, allowing a grid
to participate in DDOS attacks, botnets, or even a poor-man's tor. Grid
owners would not even know their servers were being used in this way.
3. A mis-configured grid allows for commands to be called from a client.
Since the session IDs of an administrator are transmitted in the clear,
anyone can execute operating system level commands without knowing the
credentials of the administrator.
4. C# and other languages supported by Open Simulator scripting are not API
restricted. A C# script can read/write the local file system of the server,
open arbitrary network sockets, and make primary networking calls. In other
words, a user without credentials on your server can own it.
We are calling for the Developer community to examine these vulnerabilities
and join us with the design and execution of a workable solution.
Douglas Maxwell, Ph.D.
Science and Technology Manager
Virtual World Strategic Applications
U.S. Army Research Lab
Human Research & Engineering Directorate
(c) (407) 242-0209
Opensim-dev mailing list
Opensim-dev at opensimulator.org
More information about the Opensim-dev