MOO-cows Mailing List Archive

Re: Logging and Security Hole.

Date: Tue, 30 Jan 1996 09:34:45 PST
From:
Quinn <quinn@vv.com>
Cc: Robert Lance Milby <NStalker@tory.adsnet.com>, moo-cows@parc.xerox.com
Content-Type: text/plain; charset="us-ascii"


        This is possible on some MOOs by using %(email_address) in a
pronoun_sub'd message.  I don't recall how security on $string_utils is
right now, and LambdaMOO is lagged so I'm not gonna bother checking before
posting this, but if a wiz-owned verb calls it any property could
conceivably be accessed via pronoun_sub.

        A safe way to fix it is to:

        @chown $string_utils:pronoun_sub $hacker
        @chown $string_utils:_cap_property $hacker

        I don't *think* they rely on any wizardly mumbo-jumbo to do what
they do, though it's probably convenient for the caller to be able to access
his own (otherwise unreadable) properties, so bear that in mind.

-Quinn
-http://www.vv.com/~quinn/


At 08:43 AM 1/30/96 PST, Seth I. Rich wrote:
>>Ok, here's the problem, about a month ago we had a guest log in and using 
>>a loop hole in our Core DB (LambdaCore-1Oct94.db) to get email addresses 
>>for different players... As far a I can tell we have no players from this 
>>site that the guest logged in from.  Is this a known loop-hole with a 
>>patch or just some guy who happened to know a few players from other 
>>sites and thier email makeing me paranoid..  He said it was an easy fix 
>>but didn't give us any more info than that..  I have no clue how he did 
>>it, but would like to know..  
>
>Uh.  I would like to know as well.  Do you have any information, any
>evidence (any reason to believe this is a true claim he made)?

Prev: Re: Logging and Security Hole.
Next: RE: Logging and Security Hole.
Index: MOO-cows
Thread: MOO-cows

Home | Subject Index | Thread Index