Ok folks, if you are using MobProgs, you should be aware of a MAJOR
security hole.
One small bug in MobProgs is that MPFORCE does NOT check if you are an
imm, and so forces you to do the command, regardless. This can have some
devestating consequences... also because it doesn't just have to be a
mobprog that does it. An imm can force a mob to mpforce you to do
whatever.
Using this, an imm could force a mob to mpforce you to change your
password, advance them to implementor level, demote yourself, or anything
else they desire.
To fix this, just put a check if the victim of an mpforce (if using
ROM2.4-MobProgs, mpvforce and mpgforce also) is an imm.
- Chris Jacobson
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/08/00 PST