Re: [MobProg] Major Security Hole!!! Oct 7, 97 09:34:44 pm

From: Andrew Helm (ashe@IGLOU.COM)
Date: 10/08/97


>
> Ok folks, if you are using MobProgs, you should be aware of a MAJOR
> security hole.

<TONGUE IN CHEEK>
This is not a security hole. It's a feature. When you say it's a security
hole you're suggesting it should be fixed. However, some people may
want this behavior of MobProgs. Anyhow, we all know it's proper to
change the policy not recode MobProgs. Policy not code... you can't
code ethics.
</TONGUE IN CHEEK>

> One small bug in MobProgs is that MPFORCE does NOT check if you are an
> imm, and so forces you to do the command, regardless.  This can have some
> devestating consequences... also because it doesn't just have to be a
> mobprog that does it.  An imm can force a mob to mpforce you to do
> whatever.
>
> Using this, an imm could force a mob to mpforce you to change your
> password, advance them to implementor level, demote yourself, or anything
> else they desire.
>
> To fix this, just put a check if the victim of an mpforce (if using
> ROM2.4-MobProgs, mpvforce and mpgforce also) is an imm.


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/08/00 PST