<br><br><div class="gmail_quote">On Fri, Nov 16, 2012 at 2:14 PM, Diva Canto <span dir="ltr"><<a href="mailto:diva@metaverseink.com" target="_blank">diva@metaverseink.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 11/15/2012 11:34 PM, Snowcrash Short wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm not terribly familiar with the terminology used by the core, to somebody with my intelligence or lack thereof the number of interfaces and their differences are a bit bewildering (but hey, my code is bewildering too). The webservices I rely on can be found in the config files under [AssetService] and [InventoryService]. E.g.<br>
AssetServerURI = "<a href="http://assets.osgrid.org" target="_blank">http://assets.osgrid.org</a>"<br>
InventoryServerURI = "<a href="http://inventory.osgrid.org" target="_blank">http://inventory.osgrid.org</a>"<br>
</blockquote>
<br></div>
This would be a really bad idea, and I'll be the first to discourage grid operators from doing this. You're basically asking grid operators to place their internal inventory services on the Internet, which would put inventories at risk. Wiping out entire inventories would be trivial. (Yes, osgrid does this, but that's because it has no choice, given its purpose and configuration)<br>
<br></blockquote><div>Any grid that allows open access to attach regions are open to this vulnerability, the security breach exists irrespective of my project. The good news is that it should be quite trivial to toughen the services. Initially I thought that the principal id used in some of the XInventory method calls were session id's, I was quite surprised that they were avatar id's.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
These services are designed to be called by the simulators *only*. They are devoid of any security or permissions checks *whatsoever*. They're basically just getters/setters for the database. That's on purpose; in a system like what we have at hand, the simulators are the ones doing the security / permissions checks, so doing them again in the backend [internal] services would be redundant.<br>
<br></blockquote><div>Yes, I was quite surprised when my research revealed this fact, it would be quite trivial to rip quite a lot of assets from the asset service. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That's why we have been designing other services on top of the database, the HG services, which toughen security. So pointing this to the HG services might make sense. You'll find those configs in the HG versions of the configuration files under the [LoginService] section.<div class="HOEnZb">
<div class="h5"><br></div></div></blockquote><div>Using the HG services might be a way forward in some scenarioes, but it would not alleviate the issues that non open grids face.</div><div>Currently MyInventory has two means of uploading content, the traditional UDP/CAPS methods used by traditional viewers, which has the side effect of always creating new assets just like the traditional viewer does. The second is uploading via the "internal" web-interfaces, the benefit of this is a reduction in the number of duplicate assets being created.</div>
<div><br></div><div>As things stand now, the inventory and asset servers are quite vulnerable, and this vulnerability has nothing to do with my project, but I'm definitely willing to help address these vulnerabilities, where I have detected them.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
______________________________<u></u>_________________<br>
Opensim-users mailing list<br>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
</div></div></blockquote></div><br>