Security advisory, LedgerSMB 1.3.0-1.3.36

that users take the issue seriously it is not one which is expected to be particularly urgent. Credit: Chris Travers discovered this issue.

Security Advisory in LedgerSMBv 1.3.20 and below: Denial of Service vulnerability

invoice number settings can be overwritten, this problem can run users into regulatory compliance problems. Users in areas which require gapless numbering of financial documents need to treat this problem as more severe. Discovery: Chris Travers found the problem during work on forthcoming

LedgerSMB 1.3.0 released, includes anti-XSRF framework

XSRF vulnerabilities should probably have their own advisories. Best Wishes, Chris Travers LedgerSMB Core Team Metatron Technology Consulting

Full disclosure for SA45649, SQL Injection in LedgerSMB and SQL-Ledger

per user, thus ensuring that sql injection issues do not pose the privilege escalation issues that are present in prior versions. Thus the impact of an attack like this is greatly limited. The impact on the pre-releases should be seen as moderate. Best Wishes, Chris Travers

Security advisory: SQL Injection in LedgerSMB 1.2.24 and lower

tests by security vendors. Thank you for your time, Chris Travers LedgerSMB Core Team

SQL-Ledger patch update for SQL injection

for LedgerSMB. I expect to send a full disclosure email discussing the vulnerability in a week. Best Wishes, Chris Travers

Re: [Webappsec] Paper: Weaning the Web off of Session Cookies

moves in that direction. I do think we need some sort of HTTP status or other header information that would tell a browser to clear the auth cache and not try again. Best Wishes, Chris Travers

More information on CVE-2009-3580

the proper value should be determined by each customer. The current default value (3600) which sets the default value to one hour is way to high though. This issue will be documented as an issue in future versions of LedgerSMB. Best Wishes, Chris Travers

CVE-2009-3583, confirming problem and adding info

LedgerSMB 1.1.x, this is an excellent reason to upgrade. I can confirm this problem for the versions mentioned. Best Wishes, Chris Travers

Re: e107 latest download link is backdoored

repository this code does not appear there. Best Wishes, Chris Travers

FWD: LedgerSMB Security Advisory: Multiple Vulnerabilities

, an incorrect guess as to the request number deletes the user session and requests a password from the user. To obtain the hotfix either email me at the address mentioned above or download the most recent file from svn (branches/1.2): LedgerSMB/Session/DB.pm. Sincerely, Chris Travers The LedgerSMB Team

Multiple Vulnerabilities: LedgerSMB 1.2.15

Multiple vulnerabilities: LedgerSMB Synopsis: Two vulnerabilities announced in LedgerSMB for versions prior to 1.2.15 Status: Corrected in version 1.2.15 and later (vendor fix available). Impact: Resource exhaustion on server, arbitrary SQL command execution. Other software affected:

LedgerSMB 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues

injection issues in that application. Our official recommendation for SQL-Ledger users is to restrict access to database relations to the least privelege necessary. While this does not entirely solve the issues, it does limit the damage considerably. Best Wishes, Chris Travers

Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940

(such as embezzlement) appear to be tied to any other legitimate user. This is the most important security vulnerability since 1.1.5 and all users are advised to upgrade immediately. Best Wishes, Chris Travers begin:vcard fn:Chris Travers n:Travers;Chris email;internet:[EMAIL PROTECTED] tel;work:509-888-0220 tel

Security Advisory: Login bypass in LedgerSMB 1.2.0 through 1.2.6

products or are responsible for the security of their networks. All questions regarding more information on this vulnerability can be directed to Chris Travers ( [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] or [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]). begin:vcard fn:Chris Travers n:Travers;Chris

ACLS ineffective in SQL-Ledger and LedgerSMB

purposes and that roles need to be isolated into separate database accounts (which the application does support). However, this process is cumbersome. The LedgerSMB project intends to automate this process properly in 1.3.0 (perhaps six months away). Best Wishes, Chris Travers begin:vcard fn:Chris

LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589

, Chris Travers begin:vcard fn:Chris Travers n:Travers;Chris email;internet:[EMAIL PROTECTED] tel;work:509-888-0220 tel;cell:509-630-7794 x-mozilla-html:FALSE version:2.1 end:vcard

Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB

a Perl script named sql-ledger.conf in the directory above where these scripts are normally stored. So the username forces the execution of that script, doesn't find a password, and so allows the user in. Lovely Best Wishes, Chris Travers begin:vcard fn:Chris Travers n:Travers;Chris email

Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)

can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users should upgrade to 1.1.9. Users who cannot upgrade should configure their web servers to use http authentication for the admin.pl script in the main root directory. Best Wishes, Chris Travers begin:vcard fn:Chris Travers

DoS and code execution issue in LedgerSMB 1.1.5 and SQL-Ledger 2.6.25

are advised to upgrade to the latest version, and all LedgerSMB users using versions prior to 1.1.5 should upgrade as well. Best Wishes, Chris Travers begin:vcard fn:Chris Travers n:Travers;Chris email;internet:[EMAIL PROTECTED] tel;work:509-888-0220 tel;cell:509-630-7794 x-mozilla-html:FALSE version

Full disclosure: Directory Transversal and Arbitrary Code Execution Vulnerability in SQL-Ledger and LedgerSMB

at every page load, are created on login, and destroyed at logout. Using the same method, you can add arbitrary Perl code to the end of these files causing that to be loaded the next time the target user loads a page. Best Wishes, Chris Travers begin:vcard fn:Chris Travers n:Travers;Chris email

Unofficial SQL-Ledger patch for CVE-2007-0667

. Best Wishes, Chris Travers diff -C3 -r sql-ledger-orig/SL/Form.pm sql-ledger/SL/Form.pm *** sql-ledger-orig/SL/Form.pm 2007-02-05 18:20:34.0 -0800 --- sql-ledger/SL/Form.pm 2007-02-05 18:23:06.0 -0800 *** *** 311,318 if ($self-{callback}) { ! my

Arbitrary Code Execution in SQL-Ledger and LedgerSMB through redirects

, but it is still not corrected in SQL-Ledger. There is no workaround to prevent the problem except to hope that those who are using vulnerable software can be trusted. I will be sending a full disclosure of the problem, as well as an unofficial patch to SQL-Ledger in a week. Best Wishes, Chris

Full Disclosure: Arbitrary Code Execution in LedgerSMB CVE-2006-5872

://127.0.0.1/sql-ledger/login.pl?login=demoscript=-e%3fprint%20STDERR%20%27hello%20world%27%3baction=logout http://127.0.0.1/sql-ledger/login.pl?login=demoscript=-e%3fprint%20STDERR%20%27hello%20world%27%3baction=logout Best Wishes, Chris Travers Metatron Technology Consulting begin:vcard fn:Chris

LedgerSMB 1.0.0 and SQL-Ledger 2.6.18 and earler arbitrary code execution

should upgrade to the newest versions of these packages at their earliest convenience. Credit for this disclosure should go to Chris Murtagh (a private individual) and Richard Patterson of Quickhelp. Best Wishes, Chris Travers Metatron Technology Consulting begin:vcard fn:Chris Travers

Full Disclosure for SQL-Ledger vulnerability CVE-2006-4244

from 2.4.4 to the present, this was only tested on 2.6.15 and 2.6.17. Best Wishes, Chris Travers Metatron Technology Consulting begin:vcard fn:Chris Travers n:Travers;Chris email;internet:[EMAIL PROTECTED] tel;work:509-888-0220 tel;cell:509-630-7794 x-mozilla-html:FALSE version:2.1 end:vcard