Menu

#186 Script sets WIZARD on change and edit

Security
closed-accepted
nobody
Included MUF programs (16)
2
2015-09-14
2003-07-16
Lawrence Cotnam Jr.
No

This is a really old security hole, and a lot of upstart
mucks have it, because the FBMUF scripts put a WIZARD
bit on cmd-change and cmd-edit, allowing mortals to use
these commands to change wiz-protected properties.

Programs should be corrected, or the W taken off the
script, they shouldn't need more than M2.

Discussion

  • Nobody/Anonymous

    Nobody/Anonymous - 2003-07-16

    Logged In: NO

    Mmmm, they need M3. :) But definitely not WIZARD.

     

  • Points

    Points - 2003-09-13

    Logged In: YES
    user_id=7510

    Can you name the file and which repository this script
    resides in, please?

     

  • Lawrence Cotnam Jr.

    Lawrence Cotnam Jr. - 2003-09-14

    Logged In: YES
    user_id=255830

    umm... in the fbmuf part of this project's CVS... cmd-
    change.muf and cmd-edit.muf... is that what you mean?

     

  • Revar Desmera

    Revar Desmera - 2003-09-15

    Logged In: YES
    user_id=6331

    Because wizards use change and edit on objects they don't own,
    the programs need to be wizbit, but the permissions checking in
    the programs need to be fixed. Those programs predate @props,
    and don't have the correct perms checking.

     

  • Wyld

    Wyld - 2005-07-13
    • milestone: 100409 --> Security
    • priority: 5 --> 2
     

  • Wyld

    Wyld - 2005-07-13
    • assigned_to: nobody --> mcclure
     

  • Wyld

    Wyld - 2011-10-05
    • assigned_to: mcclure --> nobody
     

  • Wyld

    Wyld - 2015-09-14
    • status: open --> closed-accepted
     

  • Wyld

    Wyld - 2015-09-14

    Updated permissions checking in both cmd-change and cmd-edit. (FB7)

     

Log in to post a comment.