MOO-cows Mailing List Archive
Re: Logging and Security Hole.
This is possible on some MOOs by using %(email_address) in a
pronoun_sub'd message. I don't recall how security on $string_utils is
right now, and LambdaMOO is lagged so I'm not gonna bother checking before
posting this, but if a wiz-owned verb calls it any property could
conceivably be accessed via pronoun_sub.
A safe way to fix it is to:
@chown $string_utils:pronoun_sub $hacker
@chown $string_utils:_cap_property $hacker
I don't *think* they rely on any wizardly mumbo-jumbo to do what
they do, though it's probably convenient for the caller to be able to access
his own (otherwise unreadable) properties, so bear that in mind.
At 08:43 AM 1/30/96 PST, Seth I. Rich wrote:
>>Ok, here's the problem, about a month ago we had a guest log in and using
>>a loop hole in our Core DB (LambdaCore-1Oct94.db) to get email addresses
>>for different players... As far a I can tell we have no players from this
>>site that the guest logged in from. Is this a known loop-hole with a
>>patch or just some guy who happened to know a few players from other
>>sites and thier email makeing me paranoid.. He said it was an easy fix
>>but didn't give us any more info than that.. I have no clue how he did
>>it, but would like to know..
>Uh. I would like to know as well. Do you have any information, any
>evidence (any reason to believe this is a true claim he made)?
Subject Index |