[Opensim-users] Announcement of inventory tool (MyInventory), mostly of interest to grid operators/grid nauts

Fri Nov 16 13:36:44 UTC 2012

On Fri, Nov 16, 2012 at 2:14 PM, Diva Canto <diva at metaverseink.com> wrote:

> On 11/15/2012 11:34 PM, Snowcrash Short wrote:
>
>> I'm not terribly familiar with the terminology used by the core, to
>> somebody with my intelligence or lack thereof the number of interfaces and
>> their differences are a bit bewildering (but hey, my code is bewildering
>> too). The webservices I rely on can be found in the config files under
>> [AssetService] and [InventoryService]. E.g.
>> AssetServerURI = "http://assets.osgrid.org"
>> InventoryServerURI = "http://inventory.osgrid.org"
>>
>
> This would be a really bad idea, and I'll be the first to discourage grid
> operators from doing this. You're basically asking grid operators to place
> their internal inventory services on the Internet, which would put
> inventories at risk. Wiping out entire inventories would be trivial. (Yes,
> osgrid does this, but that's because it has no choice, given its purpose
> and configuration)
>
> Any grid that allows open access to attach regions are open to this
vulnerability, the security breach exists irrespective of my project. The
good news is that it should be quite trivial to toughen the services.
Initially I thought that the principal id used in some of the XInventory
method calls were session id's, I was quite surprised that they were avatar
id's.

These services are designed to be called by the simulators *only*. They are
> devoid of any security or permissions checks *whatsoever*. They're
> basically just getters/setters for the database. That's on purpose; in a
> system like what we have at hand, the simulators are the ones doing the
> security / permissions checks, so doing them again in the backend
> [internal] services would be redundant.
>
> Yes, I was quite surprised when my research revealed this fact, it would
be quite trivial to rip quite a lot of assets from the asset service.

> That's why we have been designing other services on top of the database,
> the HG services, which toughen security. So pointing this to the HG
> services might make sense. You'll find those configs in the HG versions of
> the configuration files under the [LoginService] section.
>
> Using the HG services might be a way forward in some scenarioes, but it
would not alleviate the issues that non open grids face.
Currently MyInventory has two means of uploading content, the traditional
UDP/CAPS methods used by traditional viewers, which has the side effect of
always creating new assets just like the traditional viewer does. The
second is uploading via the "internal" web-interfaces, the benefit of this
is a reduction in the number of duplicate assets being created.

As things stand now, the inventory and asset servers are quite vulnerable,
and this vulnerability has nothing to do with my project, but I'm
definitely willing to help address these vulnerabilities, where I have
detected them.

> ______________________________**_________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/**mailman/listinfo/opensim-users<https://lists.berlios.de/mailman/listinfo/opensim-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-users/attachments/20121116/65e98a88/attachment.html>