MOO-cows Mailing List Archive
Re: Security... and stuff
At 10:54 -0800 7/18/96, Seth I. Rich wrote:
>>Just wondering, but I know of people who /insist/ that it's not even okay to
>>have a permission check using 'player' in a -x, command line verb. There
>>isn't any way to hack the player variable in a -x verb is there? What are
>>they talking about?
>This is, in fact, true. Up to LambdaMOO 1.8, it was guaranteed that a !x
>command was executed by "player". LambdaMOO 1.8 introduced a server builtin
>called `force_input()' which now allows wizards to "spoof" commands by other
>players in an undetectable fashion.
Note: wizard and the player itself... which introduce a whole range of new
and fancy security holes.... enjoy :)
Subject Index |