<<< Date Index >>>     <<< Thread Index >>>

Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940



Hi all;

The LedgerSMB team is still working on a security advisory which details the exact nature of the security vulnerability, how to test for it, etc. We are giving it a couple days to ensure that it is correct and well edited, and that administrators have a chance to upgrade before the exploit becomes common knowledge.

This email is designed simply to clarify which versions are affected and what the scope of the issue. I expect with in a day or two, the full security advisory will be released.

This particular issue only affects versions 1.2.0 through 1.2.6. Prior versions, and other programs sharing the SQL-Ledger parentage are not affected (though there are other security issues with LedgerSMB 1.0.x - 1.1.x.

By passing a specially crafted URL to the program, it is possible to get it to circumvent the normal authentication checks and instead perform any other arbitrary action within its own programming. It allows in particular: 1) Non-authenticated users to gain access to templates, etc. and use this as a vector for further attacks and 2) Allow legitimate users to masquerade as eachother, and thus make any evidence of wrongdoing (such as embezzlement) appear to be tied to any other legitimate user. This is the most important security vulnerability since 1.1.5 and all users are advised to upgrade immediately.

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard