OpenSim HyperGrid Name Spoofing

This bug was originally reported by me to the OpenSimulator team on 2012-03-08 as issue 5923 (private). The bug was silently fixed (without credit) in a commit not long after, however there has been no notification to grid owners about this bug or even a new minor release (it's like those post fixes branches exist for no reason). Therefore I have decided to publish this issue in its entirety to hopefully give the developers a nudge in the butt to actually start caring about security issues.

Following is the original issue submitted to the tracker, edited only slightly to remove some pointless stuff.

In the LoginAgent method of OpenSim.Services.HypergridService.GatekeeperService, there is a section of code responsible for adjusting the name of incoming Hypergrid visitors, which is supposed to transform "Test User" into "Test.User @grid.example.com", for example.

However, if the last name already begins with a @, it will skip this process entirely and allow any name in the agent circuit data, allowing the "Test User" above to spoof their name as "Test.User @secondlife.com". As you can imagine, this can be used for easy impersonation of another user.

This issue does not affect the "profile name" of a user displayed in some areas of Viewer 1.x viewers, and it won't be shown at all to users on Viewer 3 viewers.

Huzzah... again

2008? Was my last post really that long ago? Damn. I suppose I should announce stuff, but for now this confirmation of my continued existence should suffice.

Game server setup guides...considered dangerous

One of the most important parts of any software development project or server administration is documentation. In theory, people write pages and pages of this so the software or project is clearer to a person who has no experience with it, as well as making sure you know what something does when you return to it the next day.

However, there seems to be widespread neglect of documentation for game servers: outdated tutorials, dangerous advice (sometimes a disregard for basic security...), and poor explanations. In many ways you are better off figuring out the setup yourself, lest you open up your server boxen to being thoroughly rooted.

This isn't helped at all by the strange ways dedicated server binaries tend to behave. A specific example of this, for Linux HLDS: it comes with external libraries that the hlds binary must load to function. However, it makes no attempt to set the library path so you must use a workaround (setting the environment variable LD_LIBRARY_PATH to the directory hlds is located in) for it to work. If you are starting your dedicated server via init.d at system startup, there is a reason why this might be insecure if you don't pay attention when writing the script.

So in a couple of weeks (or months, or years...), I intend to set things right by correcting these mistakes and encouraging good security and basic sanity practices. Please wish me luck...

Winter Update

To some (or most) people's dismay, I am indeed still alive. Lots of stuff has happened:-

• Adkamodmkomwokrmworkomkrpqrqr,
• Rawrawrawrmoasdpeflwkompwefwefw, who cares
• Joined the Winged Tavern,
• Some more stuff happened
• Became an admin at the Winged Tavern,
• Got drunk

No More Wordpress, For Now

I'll probably be posting here for now.

Hurrah

Hello there! I may or may not be as active on here as I am on my hosted WordPress blog, but I created this one just in case my web host didn't feel like renewing my hosting next year...

"My capacity for happiness," he added, "you could fit into a matchbox without taking out the matches first" ~Marvin. (Life, the Universe and Everything, c. 9 (The Hitchhiker's Guide to the Galaxy))