Security vulnerability brought by non-check inventory service

From OpenSimulator

Revision as of 22:42, 11 August 2008 by Lulurun (Talk | contribs)

Jump to: navigation, search

User:Lulurun

Contents

Agenda

To enable user avatar travel from a grid service to another grid service, There are 3 problems to be considered:

  1. How to enable foreign user login - Authentication
  2. (If a foreign user can login)How to get a foreign user's belongings(including appearance, inventory)
  3. Security
    • This is discussed in this page

To achieve the 1st, client side changes are needed. SO, so far, I have only implemented the 2nd and the 3rd, and would like to explan my idea:

Problem

With the following conditions, one can simply take over the full control(CRUD) of other user's inventory.

  1. InventoryServer is exposed to the public.
  2. user's UUID is given

Simply describe in the following figure:

  • InventoryServer is a normal http server, the normal way to use it is:
    • user get the authentication from UserServer
    • user control its inventory through RegionServer
  • But since the InventoryServer accepts any request without check if the user is authenticated, or, even it does not check if the request is from a RegionServer.
  • So, if you know other users' UUID, you can send CRUD http requests directly to the InventoryServer without login.

Secure inventory 1.PNG

And AvatarPortability needs a public inventory server, so we have to make a secure one.

Solution

  • every inventory operation packet contains a "session_id" field, but it is never used.
  • so, a secure inventory service could be like this

Secure inventory 2.PNG

  • "session_id" is a important information, that is(should be) only transfered in a login session.
    • "expect_user" transfer "session_id" from UserServer to RegionServer only when the authentication is OK, so "expect_user" is safe.
    • method, such like "get_agent_by_uuid" is very dangerous.

Configuration

RegionServer side

  • in OpenSim.ini, [Network] section,
inventory_server_url = http://127.0.0.1:8004
secure_inventory_server = true / false
  • if the inventory server specified by "inventory_server_url" is a "secure" inventory server,set "secure_inventory_server = true", then inventory request from the regionserver will not be attached a session_id
  • else, set secure_inventory_server = false, in this case, session_id is attached with every inventory request.
    • This option is only useful when you want your regionserver to connect to a old inventoryserver - an inventory server do not expect a session_id.

InventoryServer side

  • in InventoryServer_Config.xml,
session_lookup = true / false
(* for the session_lookup please also refer the above picture.)
  • if you want inventory server to validate the incoming session_id, set session_lookup = true
  • else, set session_lookup = false
    • this makes inventory server accept any request, just like before.

*NOTE*

  • no matter session_lookup is true or false, new inventoryserver requires session_id in every inventory request. if you want your regionserver to connect to a new inventoryserver, you should always set secure_inventory_server = true in OpenSim.ini.
  • here new inventoryserver means inventoryserver after svn revision 5600.
General
About This Wiki