[JIRA] Issue Comment Edited: (SVC-5054) No-Modify object is modifiable: anyone can disassemble and steal its contents

Harleen Gretzky (JIRA) no-reply at lindenlab.cascadeo.com
Thu Nov 19 22:48:01 PST 2009


    [ http://jira.secondlife.com/browse/SVC-5054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=147802#action_147802 ] 

Harleen Gretzky edited comment on SVC-5054 at 11/19/09 10:47 PM:
-----------------------------------------------------------------

The difference is you considering removing the contents modifying the object, I do not, you own the contents and should be able to remove them.

And I actually do not get your use of removed contents for griefing, if the original object with the contents are not a griefing object than how does moving them into another object suddenly turn them into one.

      was (Author: Harleen Gretzky):
    The difference is you considering removing the contents modifying the object, I do not, you own the contents and should be able to remove them.

And I actually do not get your use of removed contents for griefing, if the original object with the contents are not a griefing object than how does move them into another object suddenly turn them into one.
  
> No-Modify object is modifiable: anyone can disassemble and steal its contents
> -----------------------------------------------------------------------------
>
>                 Key: SVC-5054
>                 URL: http://jira.secondlife.com/browse/SVC-5054
>             Project: 2. Second Life Service - SVC
>          Issue Type: Bug
>          Components: Permissions
>    Affects Versions: 1.32 Server
>            Reporter: Nicole Lassally
>            Priority: Critical
>
> You can take contents out of a no-modify object!
> To reproduce permission bug:
> * Create an object
> * Set permission to copy-only (no-modify and no-transfer)
> * Put anything into its content with any permission, i.e., create a script with no-permission or drop an object with no-permission.
> * Give this object to someone
> * Once delivered, rez the object in-world and open its content
> * Copy all its contents (scripts including) into inventory
> * The contents deliver into inventory
> This means that anyone can disassemble all the scripts, texture or anything inside out of an NO-MODIFY object, and steal them from the object and use them on other object even when the object is no-modify supposedly!
> No-mod does not allow anyone to unlink or edit any of the prims in the object, but why does it allow people to dissemble its content and remove them out of the content and put it in the inventory and then use those parts to build their own object?  That is not what NO-MODIFY means.
> This is a big SECURITY RISK because someone can potentially take the payment script out of a NO-MODIFY object and put it into your own object and steal money from someone else.
> To make it clearer, you cannot drop things (scripts, textures or whatever) into the content of the no-mod object, BUT you can take things (scripts, texture, etc.) out of it from the object.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.secondlife.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


More information about the Jira-notify mailing list