Horrible!! somebody able to add a malicious item to any boxes in my store!!!

Now, my freebie store has been attacked by somebody via a ugly horrible way. The whole thing happened very strange:
A girl who own an island and sell skins told me that she got a diamond ring from my store, the ring harassing her. But I have not got such item before. Then, a boy, her friend told me that two items listed in my store were stolen by someone from their store. so I removed the two items. Today, the boy asked me where the melicious item is in my store. When I checked freebies boxes, many boxes has the melicious item named " Free Jewelry and Shoes". I find these items are all aquired by today, and without creator name, but show my name as owner. I have never added such items in the boxes. It seems that sombody do this ugly thing to ruin my store. The boy sent me the item, I declined but it appeared in my inventory. The boy asked me to delete all the items in the store, I need proof and do not do as he asked. I tp to help land to looking for a Linden, when I backed, the boy and the girl have called a Linden. THe linden employee promised me to investigate the whole thing and delete the malicious items from LL database.

I wondered who has the ability to add malicious item in any members' box, is it a big bug of SL, or a hack ?

This can be done using the llAllowInventory drop function
http://www.lslwiki.net/lslwiki/wakka.php?wakka=llAllowInventoryDrop

However, it would have to be set to True within a script within the object.

Are your freebie givers scripted?

Wow, you didn't once mention The Terms of Service in that post. You feeling OK?

Stupid question, maybe - but have you given permission to others to edit your freebie givers?

I have not set the Drop True in my boxes, The freebies boxes has no giver scripts, only hover text scrpts in boxes

I have no given any permisson to edit my items to anybody, thanks for your question.

Well.. that sounds like one heck of a bug. Did the Linden have an answer for it, besides deleting the malicious objects?

I can't see how they could have done it, unless.. well, do you have your auto return turned on and set for a reasonably short amount of time?

Ha ha! Does your milking machine ever get detached or is part of your job?

Nope. it runs 24/7. It's solar powered, with hot air backup.

may want to check your hovertext script... most of the 'freebie' hovertext scripts also turn on inventorydrop

That's pretty damned lame... I can see no good reason to include inventorydrop with hovertext. Sort of like a back door in plain sight, eh?

.

I can, when it's used to take donations for raffles or if there is a build contest going on and the host wants them to be able to submit their projects without having to be there.

But if that's the case, then a closer look at the script would prove whether that was the case or not. I'd rather it be that then a major bug of this nature!

No kidding! One thing, though: I don't think llAllowInventoryDrop(TRUE) has to be in an active script, but rather it has to have been executed in the prim at some point. I'd rather find a non-owner to try to control-drag a texture or something onto the box and see if the box highlights red and the item goes into the box's inventory.

True, I keep forgetting that some attributes become a part of the prim even after they are removed. And yes, I'd rather find that it was this kind of thing, rather than it being a bug.. *shudders*

I still don't see any point in putting the two features together in a freebie hovertext sample script. It makes far more sense to me to make them both seperate, *especially* since someone using freebie scripts is less likely to know that the llAllowInventoryDrop call is unecessary for floating text.

Agreed that I'd rather it be a problem with the scripts than a bug! I recently discovered that it was possible to appear to rename the inventory in someone else's attachments, and I was totally alarmed!!! Turned out that it only *appears* that you can do so, it doesn't actually rename the attachment's inventory

.

all script in my boxes is that "
default
{
state_entry()
{
llAllowInventoryDrop(TRUE);
llSetText("Freebie Box ", <0,0.9,0.2>, 1);

}
}

I set the box to for sale at L$0 and sell contents.
Although the text include llAllowInventoryDrop(TRUE); but how the person add these malicious items into my boxes?
thank you very much Dragon

I can see by your posted script the Allow inventory drop is incuded and set to true.
From what the others are saying that is how he was able to add this into your boxes.
This is a great thread! I am going to run over to my freebie shop and check all my floating scripts to make sure it's not included so this won't happen in my store.
I'm sure someone knowledgable in scripts can tell you how to fix it in yours, as for me Ill just dig out a script that doesn't include this line and drop it in the boxes.

Thx OP for posting this and thx forum dwellers for having an answer that benifits everyone!

The llAllowInventoryDrop(TRUE) allows people to drop items into your objects, rather than just take them out. It might end when you remove the line from the script. To do that, simply set the thing to FALSE and save. Then go back and delete it. (I could be wrong, but I think I've done this for it to work!)

Yes, do NOT just delete that line from the script! You MUST change it to say "llAllowInventoryDrop(FALSE);" and save the script first or the boxes will still allow others to drop items into it- even if you delete the script altogether.

i believe if you see this line:
llAllowInventoryDrop(TRUE);
it is actually better to change it to false rather than deleting the script and replacing it in the same prim.

Just to re-iterate what others have posted, one really needs to run a script in the prim that does something like

default { state_entry() { llAllowInventoryDrop(FALSE); } }

Both the hover text and the inventory drop ability are persistent properties of the prim, so no script has to remain in the object for them both to remain in effect. (In fact, it's good practice to remove these scripts after they've run, just to cut down on script count in the sim. Yes, they aren't doing anything, but they do actually use a little bit of processing, even when idle in the "running" state.)

In brief, a prim with no script in its current inventory may still be vulnerable if such a script ever executed in that prim.

I did not know that, I best make sure my hove text scripts are not like that

This is good to know. I've got some objects I need to check

Sorry to hear this happened to you, Doning. I hope it's not too much of a hassle for you to clear up. At least some people (including me!) have learned about it and how to fix it.

Thx again! Persistant properties grrrr. Man I miss the days of punching holes in a shoebox full of cards to program a room sized computer to play tic-tac-toe! lol

thank you very much Raudf Fox.