that users take the issue seriously it
is not one which is expected to be particularly urgent.
Credit:
Chris Travers discovered this issue.
invoice number settings can be
overwritten, this problem can run users into regulatory compliance
problems. Users in areas which require gapless numbering of financial
documents need to treat this problem as more severe.
Discovery:
Chris Travers found the problem during work on forthcoming
XSRF
vulnerabilities should probably have their own advisories.
Best Wishes,
Chris Travers
LedgerSMB Core Team
Metatron Technology Consulting
per user, thus
ensuring that sql injection issues do not pose the privilege
escalation issues that are present in prior versions. Thus the impact
of an attack like this is greatly limited. The impact on the
pre-releases should be seen as moderate.
Best Wishes,
Chris Travers
tests by security vendors.
Thank you for your time,
Chris Travers
LedgerSMB Core Team
for LedgerSMB. I expect to send a
full disclosure email discussing the vulnerability in a week.
Best Wishes,
Chris Travers
moves in that direction.
I do think we need some sort of HTTP status or other header
information that would tell a browser to clear the auth cache and not
try again.
Best Wishes,
Chris Travers
the proper value should be
determined by each customer. The current default value (3600) which
sets the default value to one hour is way to high though. This issue
will be documented as an issue in future versions of LedgerSMB.
Best Wishes,
Chris Travers
LedgerSMB 1.1.x, this is an excellent reason
to upgrade.
I can confirm this problem for the versions mentioned.
Best Wishes,
Chris Travers
repository this code does not appear there.
Best Wishes,
Chris Travers
, an incorrect guess as to the request
number deletes the user session and requests a password from the user.
To obtain the hotfix either email me at the address mentioned above or
download the most recent file from svn (branches/1.2):
LedgerSMB/Session/DB.pm.
Sincerely,
Chris Travers
The LedgerSMB Team
Multiple vulnerabilities: LedgerSMB
Synopsis: Two vulnerabilities announced in LedgerSMB for versions
prior to 1.2.15
Status: Corrected in version 1.2.15 and later (vendor fix available).
Impact: Resource exhaustion on server, arbitrary SQL command execution.
Other software affected:
injection
issues in that application. Our official recommendation for
SQL-Ledger users is to restrict access to database relations to the
least privelege necessary. While this does not entirely solve the
issues, it does limit the damage considerably.
Best Wishes,
Chris Travers
(such as embezzlement) appear to be tied to any
other legitimate user.
This is the most important security vulnerability since 1.1.5 and all
users are advised to upgrade immediately.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[EMAIL PROTECTED]
tel;work:509-888-0220
tel
products or are responsible for the security of
their networks. All questions regarding more information on this
vulnerability can be directed to Chris Travers ( [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] or [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]).
begin:vcard
fn:Chris Travers
n:Travers;Chris
purposes and that roles need to be isolated into
separate database accounts (which the application does support).
However, this process is cumbersome. The LedgerSMB project intends to
automate this process properly in 1.3.0 (perhaps six months away).
Best Wishes,
Chris Travers
begin:vcard
fn:Chris
,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[EMAIL PROTECTED]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
a Perl script named sql-ledger.conf
in the directory above where these scripts are normally stored. So the
username forces the execution of that script, doesn't find a password,
and so allows the user in. Lovely
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email
can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users
should upgrade to 1.1.9. Users who cannot upgrade should configure
their web servers to use http authentication for the admin.pl script in
the main root directory.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
are advised to upgrade to the latest version, and
all LedgerSMB users using versions prior to 1.1.5 should upgrade as well.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[EMAIL PROTECTED]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version
at every
page load, are created on login, and destroyed at logout. Using the
same method, you can add arbitrary Perl code to the end of these files
causing that to be loaded the next time the target user loads a page.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email
.
Best Wishes,
Chris Travers
diff -C3 -r sql-ledger-orig/SL/Form.pm sql-ledger/SL/Form.pm
*** sql-ledger-orig/SL/Form.pm 2007-02-05 18:20:34.0 -0800
--- sql-ledger/SL/Form.pm 2007-02-05 18:23:06.0 -0800
***
*** 311,318
if ($self-{callback}) {
! my
, but
it is still not corrected in SQL-Ledger.
There is no workaround to prevent the problem except to hope that those
who are using vulnerable software can be trusted.
I will be sending a full disclosure of the problem, as well as an
unofficial patch to SQL-Ledger in a week.
Best Wishes,
Chris
://127.0.0.1/sql-ledger/login.pl?login=demoscript=-e%3fprint%20STDERR%20%27hello%20world%27%3baction=logout
http://127.0.0.1/sql-ledger/login.pl?login=demoscript=-e%3fprint%20STDERR%20%27hello%20world%27%3baction=logout
Best Wishes,
Chris Travers
Metatron Technology Consulting
begin:vcard
fn:Chris
should upgrade to the newest versions of these packages at
their earliest convenience.
Credit for this disclosure should go to Chris Murtagh (a private
individual) and Richard Patterson of Quickhelp.
Best Wishes,
Chris Travers
Metatron Technology Consulting
begin:vcard
fn:Chris Travers
from 2.4.4 to the present, this
was only tested on 2.6.15 and 2.6.17.
Best Wishes,
Chris Travers
Metatron Technology Consulting
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[EMAIL PROTECTED]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
26 matches
Mail list logo