Hi all;
It has been brought to our attention that a number of security
vulnerabilities have been noted in SQL-Ledger. Several of these affect
earlier versions of LedgerSMB, and three hotfixes have been released for
problems that continue to affect the LedgerSMB codebase.
As always, we highly recommend testing all hotfixes before applying them to
a production environment.
The CVE's mentioned here are the ones attached to SQL-Ledger. Subtle
differences as to how these affect LedgerSMB are noted below.
These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)
All five of have been patched, either in stable versions or in hotfixes.
Please read below for more information.
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
In this vulnerability, an individual, either through HTML injection in the
application, or through a script from a third party web site, cause an http
request to be made that would set a user's password to an arbitrary value.
This affects all production versions of LedgerSMB. A hotfix has been
released but has not been put through full regression testing at this time.
Furthermore this hotfix breaks our traditional string freeze because it
requires adding a new input to the preferences screen and so may cause minor
issues with localization. Individuals with such problems are encouraged to
contact the users list.
To apply the fix, either email [email protected] to have it emailed to
you or download the latest of the following files from svn (branches/1.2):
bin/am.pl
LedgerSMB/AM.pm
A fix has been applied to the 1.3 codebase as well. Users of 1.3 prerelease
versions should update to the most recent SVN revisions.
Note that CSRF/XSFR issues remain a possibility even with this, but some
controls and protections are available in the software, if properly
configured. In particular, if you set the session timeout to a sane value,
the window for exploiting existing sessions is far narrower. The main
effect of this fix is to prevent this sort of attack from changing a user's
password and thus gaining entry to the system.
There are minor differences between how LedgerSMB and SQL-Ledger mitigate
this risk in production versions. In particular, we limit a user to a
single login session, and an attempt to change that login session times out
the session. This makes the issue more difficult to exploit on LedgerSMB
systems generally.
* SQL Injection (CVE-2009-3582)
This affects all production versions, and does not affect 1.3 prerelease
versions at all. The contact management module depends on table information
submitted by the user and this is not properly sanitized. A user could
perform arbitrary database commands including deleting or inserting data
into arbitrary tables.
A hotfix has been released but has not been fully regression tested. To
obtain the hotfix please email [email protected] or download the latest
version of the following file from svn (branches/1.2): LedgerSMB/CT.pm
In SQL-Ledger (and in LedgerSMB prior to 1.2.0), this injection can be used
to delete an arbitrary set of rows from any table containing an id field.
In LedgerSMB 1.2.x, the vulnerability is more limited. While arbitrary
tables can be selected, one is limited to deleting one row at a time by the
id field. Also in 1.2.0, only the delete function is believed to be
exploitable while the update function might be as well in past versions.
* Local File Include (CVE-2009-3583)
This affects versions of LedgerSMB prior to 1.2.0. If you are using a
version prior to 1.2.0, please upgrade.
* Default Administrator Password Weakness (CVE-2009-4402)
This affects versions of LedgerSMB prior to 1.2.0. If you are using a
version prior to 1.2.0, there are many critical fixes you are missing out
on. If you absolutely cannot upgrade, Please make sure the administrator
password has been properly set.
* Secure flag not set on cookie (CVE-2009-3584).
This affects all versions of LedgerSMB. The effect is that a session
cookie, which could be used to grant access to the system, could be
hijacked. The risk on LedgerSMB is less than on SQL-Ledger because we
require serial requests in 1.2, and the cookie is not sufficient to gain
access to anything in 1.3. In essence, on an unpatched system, an
individual would have to guess the request number and and send it along.
While the range here is limited, it does take some extra work and adds some
complexity to the attack.
In a patched system, the secure flag is set only when using HTTPS to access
LedgerSMB. However, an incorrect guess as to the request number deletes
the user session and requests a password from the user.
To obtain the hotfix either email me at the address mentioned above or
download the most recent file from svn (branches/1.2):
LedgerSMB/Session/DB.pm.
Sincerely,
Chris Travers
The LedgerSMB Team
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Ledger-smb-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
