Re: [code] switch bug (sort of)

From: George (greerga@DRAGON.HAM.MUOHIO.EDU)
Date: 10/07/97


On Tue, 7 Oct 1997, Kenneth G. Cavness wrote:

>1. You make it seem like a bug; it's not. It's not even a logical error.
>   It's clear that when switched into another player, you _become_ that
>   player. Did you know that you could also get that player killed? Or as
>   that player tell someone something that that player did not actually say,
>   though make it sound like they did? Or listen to other people perhaps tell
>   you things that are private?

Bravo.

>3. Your heavy-handed, arrogant method of describing this whole "security
>   flaw" prompted strong reactions in others. You list it as a "fact" that
>   it's a bug -- in fact, the entire thing with being able to switch into
>   other players is one huge security hole and anyone choosing to use it had
>   already better have a damn good reason for using it. It's not just
>   limited to mail. You tell other people "Fix it" -- before you so
>   graciously say "fix it or no, I don't care".

I don't even see how it is a security hole since only *implementors* can do
it and if you don't trust someone enough to not do that (for a good
reason), why are they an implementor on your MUD? (and of course,
implementor (usually) implies access to the source code in which case they
could probably just read the mail file anyway.)


Great response Kenneth.

--
George Greer  -  Me@Null.net   | Genius may have its limitations, but stupidity
http://www.van.ml.org/~greerga | is not thus handicapped. -- Elbert Hubbard


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+



This archive was generated by hypermail 2b30 : 12/08/00 PST