Second Life Forums Archive - Gigas Servers LSL Exploit Redux

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

07-19-2005 16:04

Hiya,

As we said earlier, we have just finished the new Gigas Item Server, Version 2.2.8 patch which addresses certain potential vunerabilities opened by the recent LSL script exploit.

We advise anyone using a Gigas server with a version number less than or equal to 2.2.7 to update your servers to 2.2.8, as soon as you can. The 2.2.8 package also includes a new vendor script, which will also need to be applied.

What this patch does:
- We've placed an new level of authentication on transfers. We've also made it easier to catch people who attempt to exploit a server object.
- We have also changed the RemoteLoadScript pin to prevent a possible intrusion exploit.
- We have also patched the webshop to be compatible with this new authentication (however unpatched servers will still work)

When a request is made through the older version of the protocol without authentication, the seller will recieve a message like follows:
"Adam Zaius attempted to purchase SecondServer Shirt from an older version vendor located in Aleph. Please confirm the user paid you, and then transfer the inventory."
The buyer will recieve a message like this:
"Thankyou for your purchase. Unfortunately, purchases from this vendor need to be manually processed by the seller. Please wait while the seller transfers the items to you. If you do not recieve a copy of your item soon, please IM the seller."

Servers and Vendors which are both on version 2.2.8 or higher will not trigger this message. This message will only be triggered by a 2.2.7 (or below) vendor trying to buy from a 2.2.8 server. This message is only triggered when 2.2.8 authentication is not present, or is not valid.

The following are links to the update server kits, and the system updater. If you currently have your server and vendor objects currently deployed, we recommend using the update kit, so you do not need to perform any configuration changes.

2.2.8 Updater Kit (For people with a server out currently)

2.2.8 Vendor Kit (For people who have deleted their server, or want to setup additional vendors.)

Myself and Nexus are also putting the finishing touches on our new Version3.0, we will be opening it up for public beta testing (which will be availible without cost for the duration of the beta test) shortly. I'll keep people posted as we get the final steps inplace. We will release a full list of new features with the beta release announcement.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

Burke Prefect

Cafe Owner, Superhero

Join date: 29 Oct 2004

Posts: 2,785

07-19-2005 16:27

Nice to know. I'll soon be setting up a Gigas (might already have one, not sure) account for my new line of items that had to be fixed since 1.6 added certain 'features'.

FlipperPA Peregrine

Magically Delicious!

Join date: 14 Nov 2003

Posts: 3,703

07-19-2005 17:07

Great work, Adam! Sorry to hear the compromise hit you a bit harder than us. I think we can all agree that these folks are the dregs of our society.

_____________________

Peregrine Salon: www.PeregrineSalon.com - my consulting company
Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

07-19-2005 17:09

From: FlipperPA Peregrine

Great work, Adam! Sorry to hear the compromise hit you a bit harder than us. I think we can all agree that these folks are the dregs of our society.

Yeah, the killer part was that at the time we wrote this, XMLRPC was too unstable to be used for anything serious (this was about a year ago). However we've moved the new Version3.0 entirely to XMLRPC, which limits this kind of hack in the future. Either way, this patch should fix the immediete problem, and let us concentrate on getting our new version out the door.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

FlipperPA Peregrine

Magically Delicious!

Join date: 14 Nov 2003

Posts: 3,703

07-19-2005 17:18

SLBoutique has pretty much completely moved away from llEmail(), save for sending the XML-RPC channels of vendors. New code which was installed this previous weekend processes all deposit in another manner, so we no longer rely on llEmail() or XML-RPC for deposits (phew!).

Regards,

-Flip

_____________________

Peregrine Salon: www.PeregrineSalon.com - my consulting company
Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!

splat1 Edison

Registerd Nut

Join date: 6 Sep 2004

Posts: 353

07-20-2005 06:52

bump

_____________________

Splat Soft - We exsist in the RL to!
Gigas Bunny (Mule)
####
You see, our experts describe you as an appallingly dull fellow, unimaginative, timid, lacking in initiative, spineless, easily dominated, no sense of humour, tedious company and irrepressibly drab and awful. And whereas in most professions these would be considerable drawbacks, in chartered accountancy they are a positive boon.

Gigas Servers LSL Exploit Redux
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	07-19-2005 16:04 Hiya, As we said earlier, we have just finished the new Gigas Item Server, Version 2.2.8 patch which addresses certain potential vunerabilities opened by the recent LSL script exploit. We advise anyone using a Gigas server with a version number less than or equal to 2.2.7 to update your servers to 2.2.8, as soon as you can. The 2.2.8 package also includes a new vendor script, which will also need to be applied. What this patch does: - We've placed an new level of authentication on transfers. We've also made it easier to catch people who attempt to exploit a server object. - We have also changed the RemoteLoadScript pin to prevent a possible intrusion exploit. - We have also patched the webshop to be compatible with this new authentication (however unpatched servers will still work) When a request is made through the older version of the protocol without authentication, the seller will recieve a message like follows: "Adam Zaius attempted to purchase SecondServer Shirt from an older version vendor located in Aleph. Please confirm the user paid you, and then transfer the inventory." The buyer will recieve a message like this: "Thankyou for your purchase. Unfortunately, purchases from this vendor need to be manually processed by the seller. Please wait while the seller transfers the items to you. If you do not recieve a copy of your item soon, please IM the seller." Servers and Vendors which are both on version 2.2.8 or higher will not trigger this message. This message will only be triggered by a 2.2.7 (or below) vendor trying to buy from a 2.2.8 server. This message is only triggered when 2.2.8 authentication is not present, or is not valid. The following are links to the update server kits, and the system updater. If you currently have your server and vendor objects currently deployed, we recommend using the update kit, so you do not need to perform any configuration changes. 2.2.8 Updater Kit (For people with a server out currently) 2.2.8 Vendor Kit (For people who have deleted their server, or want to setup additional vendors.) Myself and Nexus are also putting the finishing touches on our new Version3.0, we will be opening it up for public beta testing (which will be availible without cost for the duration of the beta test) shortly. I'll keep people posted as we get the final steps inplace. We will release a full list of new features with the beta release announcement. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
Burke Prefect Cafe Owner, Superhero Join date: 29 Oct 2004 Posts: 2,785	07-19-2005 16:27 Nice to know. I'll soon be setting up a Gigas (might already have one, not sure) account for my new line of items that had to be fixed since 1.6 added certain 'features'.
FlipperPA Peregrine Magically Delicious! Join date: 14 Nov 2003 Posts: 3,703	07-19-2005 17:07 Great work, Adam! Sorry to hear the compromise hit you a bit harder than us. I think we can all agree that these folks are the dregs of our society. _____________________ Peregrine Salon: www.PeregrineSalon.com - my consulting company Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	07-19-2005 17:09 From: FlipperPA Peregrine Great work, Adam! Sorry to hear the compromise hit you a bit harder than us. I think we can all agree that these folks are the dregs of our society. Yeah, the killer part was that at the time we wrote this, XMLRPC was too unstable to be used for anything serious (this was about a year ago). However we've moved the new Version3.0 entirely to XMLRPC, which limits this kind of hack in the future. Either way, this patch should fix the immediete problem, and let us concentrate on getting our new version out the door. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
FlipperPA Peregrine Magically Delicious! Join date: 14 Nov 2003 Posts: 3,703	07-19-2005 17:18 SLBoutique has pretty much completely moved away from llEmail(), save for sending the XML-RPC channels of vendors. New code which was installed this previous weekend processes all deposit in another manner, so we no longer rely on llEmail() or XML-RPC for deposits (phew!). Regards, -Flip _____________________ Peregrine Salon: www.PeregrineSalon.com - my consulting company Second Blogger: www.SecondBlogger.com - free, fully integrated Second Life blogging for all avatars!
splat1 Edison Registerd Nut Join date: 6 Sep 2004 Posts: 353	07-20-2005 06:52 bump _____________________ Splat Soft - We exsist in the RL to! Gigas Bunny (Mule) #### You see, our experts describe you as an appallingly dull fellow, unimaginative, timid, lacking in initiative, spineless, easily dominated, no sense of humour, tedious company and irrepressibly drab and awful. And whereas in most professions these would be considerable drawbacks, in chartered accountancy they are a positive boon.

Welcome to the Second Life Forums Archive

Gigas Servers LSL Exploit Redux