To all it may concern;
The following is a security advisory for LedgerSMB 1.3.x. It includes
information on vulnerable versions, and how to mitigate problems. While
the security issues discovered here are minor in most cases, they can have
significant impacts for some users in some environments.
Title: LedgerSMB 1.3.0-1.3.27, Multiple Vulnerabilities
Versions vulnerable: 1.3.0 through 1.3.27
Severity: Low in most environments, medium to high where users must share
terminals.
Fix Availability: From vendor, workarounds available as well.
First Fixed In: 1.3.28
Issues discussed: 1) Administrative Password Reset/expiration
Ineffective, and 2) Credentials not cleared on some browsers.
Impact: 1) Administrators may mistakenly believe that users have been
securely locked out of the system, 2) Users sharing computer terminals may
be able to access the application using eachother's credentials.
The first is not an attack vulnerability per se, but it acts as a vector
for security problems because an administrator may mistakenly believe that
the password has been reset for a user when in fact this is not the case.
Administrative passwords expire after 24 hours (after which time the user
is unable to log in with any password), and thus also provide a way of
effectively locking users out of the system. Because this may be used to
lock users out of the system, this poses significant security concerns, and
therefore it allows vulnerabilities to be created, contrary to
administrative usage of the software, in the ordinary course of the
administration of the software. This is heavily mitigated by the fact that
audit trails cannot be accessed or deleted by most users.
A patch is available for this issue. If anyone needs it, email Chris
Travers (ch...@metatrontech.com) for details.
Workaround: Expire/disable/reset passwords from psql or other
database-level interface. Do not use the web application in this context
for versions prior to 1.3.28.
Credit: This issue was discovered by Chris Travers, following up on an
unrelated issue reported by Pongracz Istvan.
The second issue is that LedgerSMB, in versions prior to 1.3.28, would only
seek to clear cached HTTP credentials for Internet Explorer and Firefox
users. Users of other browsers would find that their credentials were
simply not cleared until the browser window would be fully closed, even if
the browser supported clearing using the methods provided. It is true that
some browsers do not clear credentials of this sort in any case, but even
where the existing methods would have worked they were not run. The issue
(in UI/logout/firefox.js) was that we were simply checking if it was
Firefox or Internet Explorer, and excluding all other browsers.
Attack Scenario: User 1 works a point of sale terminal using Midori as a
web browser. User 1 is about to finish his shift and locks his terminal.
user 2 steals $100 out of the till and waits.... When user 1 logs out,
user two clicks the back button, and enters a transaction accounting for
the missing $100, thus hiding the theft.
A fix for this is available and will be included in LedgerSMB 1.3.28. If
anyone needs it before then, please email Chris Travers (
ch...@metatrontech.com) for details.
Workaround: For shared terminal environments please use Internet explorer
(8+) or Firefox, or close all windows after logging out.
Credit: Credit goes to Pongracz Istvan for discovering and reporting this
problem.
Best Wishes,
Chris Travers
------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
_______________________________________________
Ledger-smb-users mailing list
Ledger-smb-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
