MOO-cows Mailing List Archive


Re: Logging and Security Hole.

        This is possible on some MOOs by using %(email_address) in a
pronoun_sub'd message.  I don't recall how security on $string_utils is
right now, and LambdaMOO is lagged so I'm not gonna bother checking before
posting this, but if a wiz-owned verb calls it any property could
conceivably be accessed via pronoun_sub.

        A safe way to fix it is to:

        @chown $string_utils:pronoun_sub $hacker
        @chown $string_utils:_cap_property $hacker

        I don't *think* they rely on any wizardly mumbo-jumbo to do what
they do, though it's probably convenient for the caller to be able to access
his own (otherwise unreadable) properties, so bear that in mind.


At 08:43 AM 1/30/96 PST, Seth I. Rich wrote:
>>Ok, here's the problem, about a month ago we had a guest log in and using 
>>a loop hole in our Core DB (LambdaCore-1Oct94.db) to get email addresses 
>>for different players... As far a I can tell we have no players from this 
>>site that the guest logged in from.  Is this a known loop-hole with a 
>>patch or just some guy who happened to know a few players from other 
>>sites and thier email makeing me paranoid..  He said it was an easy fix 
>>but didn't give us any more info than that..  I have no clue how he did 
>>it, but would like to know..  
>Uh.  I would like to know as well.  Do you have any information, any
>evidence (any reason to believe this is a true claim he made)?

Home | Subject Index | Thread Index