Fast Pay "Exploit"

I think Eloise meant for those who can't access the script.

Anyway, I think it's just a scad easier to keep track of the last agent UUID to click the vendor and if payment is received, check to see if it's from that UUID and if not, confirm the sale with a dialog box or just pay 'em back with a "for your safety" message.

Now, you could expand on that too... lists containing an agent UUID, item selected, price and when they pay that's what's checked, so several folks can use the vendor at once. But then I think that's just overkill. Luskwood has it about right...

If you can access the script, then you can't do much but strait alter the prices. :-\
Besides, there are plenty of free vendor scripts out there with full script permissions. If anyone wants one, hit the FurNation Skymall, I believe there is a box near the 'entrance' that has it ("Free to Copy Lag Free Vendor" or something like that). It has a number of sales tracking functions and it's only 8 or 9 prims (I also modded the heck out of it to track more than 10 sales and offer those scripts for free up on the third floor).

If you can't alter the scripts, try putting one, two, three, or four (etc) sldollars in the box with the item (the box the vendor gives out). This lets you balance out cost, unfortunately the sldollars are no copy, so thats only workable for limited editions..

From a moderator I find this statement absurd.

READ the thread - you will see I was REPLYING as you do in a FORUM.

I did not start the thread - I replied to it - I will no doubt not end the thread as I promised myself not to REPLY to it again.

However being accused of TROLLING by someone who should know better has made me angry enough to REPLY to it again.

Strife,

As a moderator, your remark was absolutely uncalled for.

Adriana has been throughout this thread trying to be helpful and impart useful information. She has not been trolling, and your remark is rude and unpleasant.

I would suggest an immediate apology.

Just to note I stuck a thread about this in feature suggestions here

Let's just make things clear here -- You're telling people "I know something you don't know", over and over. You're telling scripters this, the people who can do a lot of work to fix the problem that you seem to know. You're lording it over us. You're dangling a carrot in front of our faces. You're telling us that there's some kind of horrible exploit out there, but you're not telling us enough details to fix it. That's the kind of thing that makes people like us lose sleep at night.

And no matter how much we beg you for more information, you pull a "Oops, I've said too much" act and clam up. That's unacceptable. You've only accomplished making a lot of people angry. If you never intended to give any details, you shouldn't have hinted at them. In that respect, all you've accomplished is to spark some pretty heated posts.

There's plenty of experience out in the wilds of the internet that shows that full disclosure is the way to prevent serious damage in a situation like this. Otherwise, only a few people will know how the exploit works, and if a sufficiently evil person learns, they can organize a wide-scale misuses of the exploit. At this point, if that happens, my feeling is that you will be in some degree ethically responsible for the damage, because you held back the information that would have helped us prevent the damage before it was inflicted. As it stands now, all we know is that SOMETHING is wrong. What do we do, take our vendors offline?

Certainly some evil people may read your explanation here... but a lot of good people will, because you've most definitely got our attention now. If linden lab has specifically asked you to be quiet, let us know. Otherwise, I urge you to tell us what you know so that we can start to mitigate the damage. If you don't tell us, evil people will find out anyway, and we'll be at their mercy because we didn't know how to fix the exploit.

No

You ask Linden Labs - their system - their bug - they have already acknowledged it in open forum.

Ask them to disclose it - and see if you get a different answer than mine.


edit
When linden come lookng at this post in answer to the question below they can refer to their own reply regarding it
/139/49/102466/1.html
Thankyou to someone for actually asking the correct people
(ps I do not work for JEVN)

If I'm correct, I think Adriana mentioned that the exploit she's found can be fixed by checking the amount paid, same as the "switch items" exploit - is that right?

Fine.

I have.

/139/f7/103151/1.html#post1008892

Let's see what they say.

Yes that is correct - I said that several pages ago.

Then you have a funny way of defining an exploit in LSL, that is a lot different than how most programmers would define it.

* A script is only vulnerable if it completely disregards how much money it was actually paid and essentially hands out items blindly *

Someone made this ridiculous mistake in their code, and Linden Labs was blamed for it? Why don't we go ahead and blame Bjarne Stroustrup because C++ doesn't automatically check for buffer overflows? Lets blame Microsoft when we get an array out of bounds exception, or blame Linus Torvalds because someone set the permissions wrong on their web server and got hacked. Does LL need a disclaimer now that "We are not responsible for poorly thought out code that handles money?"


It's good that this thread was started to show a common mistake someone might make in hopes that it won't be repeated, and to raise awareness so all the current vendor authors can check their code, but if a script is not checking how much it was paid before doing ANYTHING regarding money that has nothing to do with LL.

However, seeing how response from Linden was along the lines of "we are aware of this bug and will fix it ASAP" instead of "it's not exploit and not our problem if 3rd party scripters write dumb code" ... i'd say there might be more to it than it'd appear at first glance. In the sense there actually is something happening here that goes beyond just silly scripters and their silly code.

Ok, well that's reassuring.

Just one point though: if that's the case, posting it couldn't do any harm, because any vendor that's vulnerable to it, is also vulnerable to the "click pay - change item - click OK" exploit that has already been posted on this thread. Unless you're saying it would affect single item vendors?

That's how I'm reading it. Single price vendor, so scripter thinks "there's no need to check since there will never be a different price coming in", but there is some way to get a different price in there. Especially since Kelly Linden's response said something to the effect of "llSetPayPrice changes the UI, it does not guarantee that the correct amount will be paid". And since Kelly declined to comment on it... I think at this point I give Adrianna the benefit of doubt, and believe that there is a 'real exploit' here somewhere. And I have a couple of ideas that I'll try out soon to see if I can expose the exploit

But at the end, it just reinforces the defensive programming idea - always check the amount received, no matter how safe you think it is. Not doing that is lazy programming, IMO. It adds all of 3 lines of code.

Well, the way I read it is that there IS a real bug in the llSetPayPrice <-> Pay... UI dialog subroutines in the client.

HOWEVER

Given that we as scripters SHOULD BE validating the amount that is paid, especially in the case of multi-item vendors, and that this is a workaround for both the script design deficiency as well as the supposed client design deficiency, I would tend to say that it was irresponsible on the part of the scripter to not include such a thing. After all, many vendors have the defaults set in llSetPayPrice, and can be paid the $1, $5, $10, $20, or whatever price the user types into the pay edit box.

When it comes to handling money, even virtual money, double- and even triple-checking everything is the name of the game.

AHHA! /139/f7/103151/1.html#post1008892/139/f7/103151/1.html#post1008892

So basically, there is a way to change the paybox to display something other than what you told it to with llSetPayPrice.

Uh-huh... Guess what? The scripter is still at fault here because they just ASSUMED that the user would only be able to pay the exact price they were expecting.

Never assume anything! ever ever ever ever ever ever ever ever ever

You're shouting "Fire" in a crowded theator. All we see is some guy smoking a cigaret.

Another solution for this is to have a hud based vendor, where the user pays money into an account... One of my projects this would work really well. It can render anything from motorcycles to comic books. I'll be rewriting it soon, as the latest version has it's quirks.

My shouting fire produced a response from the fire brigade - would you prefer I stay silent and the theater burn down ?
( As a moderator learn to read a whole thread and take all the posts in context BEFORE telling someone to shut up - some people - getting fewer by the day - take note of what moderators say )

That asides..

Now that I have been vindicated by the Linden themselves I will re-iterate in one post what I have been saying all along.

(yes it is a "I told you so " )

There is a bug in llSetPayPrice
It affects everything that uses llSetPayPrice
No I will not say what it is
Yes you can protect yourself by checking the amount
No I do not work for JEVN


And in reply to "please learn how to define an exploit"

I have been a professional programmer for in excess of 20 years - I am well aware of how to define a fault , an exploit and a bug thankyou.

I never defined it - I said it was there and told you how to protect yourself.

Period.

Thankyou Linden for verifying it.
Thankyou to the few people here who actually took time to read things and agree that disclosure was not a good idea.


-------->edited<-------------

Sorry I have a bee in my bonnet now

Mr Moderator

How does my replying to a question saying that "Yes it is there"

Constitute :

"a post with an intentionally contrary opinion"

Or do you define "intentionally contrary opinion" to mean anything that contradicts the masses ?
Ie if 100 people say the sky is red then someone saying the sky is actually blue is trolling.
(See "The emperors new clothes" )

Or were you referring to :
"written with the intent of inciting or getting argumentative opinions"

Saying the sky is blue when everybody else is saying it is red would get an argumentative response - should we now set truth to one side just because it goes against popular opinion ?
How else do you say "sorry you are mistaken" ?


And for your information you do not need to reply to that as I have no wish to incite an argument.
That would be Trolling.

...Who tacked up a no smoking sign.


You keep alluding to some bigger issue, which has yet to disclosed. There are a couple ways that pay boxes don't work in a scripting friendly manner. Keeping the box open into a state that doesn't have a money event for example is one. The buttons don't update so you can get discrepancies between what is expected and what actualy happens. The money event can get lost due to state change. If it's something that isn't on my little list, well darn you got me. If it were something critical, LL would have fixed it already. Take last July (or was it June?), a group of users modified the client so they could download other peoples scripts. They were banned and the client was fixed in less then 48 hours (might have been less). If LL isn't freaked out, I'm not freaked out. All I see is a man smoking a cigarette, not a burning theator.

PS.
Lex states it really nicely. I did read the thread. It is part of my dutties to tell people when they aren't cohering with the rules. I won't argue with you that my understanding of the rules is flawed, I'm human; moderators will be human until AI develops the ability to handle the dynamics of human interactions (even then there will still be drama). It doesn't matter if you are right; even if the sky is falling, it doesn't change the situation, that you keep repeating it without giving evidence (LL has been known to 'fix' things after the onset of forum drama that didn't need fixing; so the acknowledgment from LL means nothing in my eyes).

Edit: just saw your edited responce
With the issue of the color of the sky, there has been scientific research. Saying there is a bug and not providing evidence; the discussion might as well be on the existance of god. At that point when the thread goes off topic or devolves, the recommended responce is to lock it. Doesn't matter who is right, or who started it.

This discussion on forum policy is distracting from the main topic, you are free to send me a Private Message if you wish to continue it.

Trolling - Don't

Darn - I got you then.

( I can play the last word game too )

[edit]
I saw yours too

When someone says "is there a bug in such and such"

How on earth is answering "yes" going "off-topic" ?

What do you want me to say ? "Frog". ?

cool, good job.

could it be what happens when the user doesn't have enough funds, and it pays a partial amount (i've not actualy verified that this can happend)?

When I wrote the docs, i did test negitive numbers; did they some how bork that?

Or maybe leaving the sim while the pay box is open. Teleporting with it open; I know in the past that TP'ing with the texture upload preview window open could crash the client.

Paying an object while in another sim?

Opening lots of pay boxes and then clicking the pay buttons all at once? From another sim?

Which part of "READ the thread before replying" did you not understand ?

I have repeatedly said "I will not disclose what it is"

If you have difficulty with that I can translate it into the language of your choice.

no problem

PS. (that was an interesting responce, i'm going to have to go try those now)

(i'm curious what it would look like in Klingon)