Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940
Hi all;
The LedgerSMB team is still working on a security advisory which details
the exact nature of the security vulnerability, how to test for it,
etc. We are giving it a couple days to ensure that it is correct and
well edited, and that administrators have a chance to upgrade before the
exploit becomes common knowledge.
This email is designed simply to clarify which versions are affected and
what the scope of the issue. I expect with in a day or two, the full
security advisory will be released.
This particular issue only affects versions 1.2.0 through 1.2.6. Prior
versions, and other programs sharing the SQL-Ledger parentage are not
affected (though there are other security issues with LedgerSMB 1.0.x -
1.1.x.
By passing a specially crafted URL to the program, it is possible to get
it to circumvent the normal authentication checks and instead perform
any other arbitrary action within its own programming. It allows in
particular:
1) Non-authenticated users to gain access to templates, etc. and use
this as a vector for further attacks and
2) Allow legitimate users to masquerade as eachother, and thus make any
evidence of wrongdoing (such as embezzlement) appear to be tied to any
other legitimate user.
This is the most important security vulnerability since 1.1.5 and all
users are advised to upgrade immediately.
Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard