MOO-cows Mailing List Archive


Re: Security... and stuff

On Thu, 18 Jul 1996, Richard Godard wrote:

> At 10:54 -0800 7/18/96, Seth I. Rich wrote:
> >This is, in fact, true.  Up to LambdaMOO 1.8, it was guaranteed that a !x
> >command was executed by "player".  LambdaMOO 1.8 introduced a server builtin
> >called `force_input()' which now allows wizards to "spoof" commands by other
> >players in an undetectable fashion.
> Note: wizard and the player itself... which introduce a whole range of new
> and fancy security holes.... enjoy :)

Not just security holes.. Allowing players to call ;force_input on
themselves allows them to create a new kind of forkbomb, a hard to find
one. make a verb that calls force_input on yourself, calling that verb.
(Call force_input only once if you just want to see if it works, call it
twice or more if you want to see what happens to the server) You can't see
it in the forked list, and i don't think there is a way to kill the tasks
(yet ?) from within the server...



Home | Subject Index | Thread Index