AOH :: HP Unsorted C :: TB11660.HTM

Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940



Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940
Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940



This is a multi-part message in MIME format.
--------------040907010501000807040402
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi all;

The LedgerSMB team is still working on a security advisory which details 
the exact nature of the security vulnerability, how to test for it, 
etc.  We are giving it a couple days to ensure that it is correct and 
well edited, and that administrators have a chance to upgrade before the 
exploit becomes common knowledge.

This email is designed simply to clarify which versions are affected and 
what the scope of the issue.  I expect with in a day or two, the full 
security advisory will be released.

This particular issue only affects versions 1.2.0 through 1.2.6.  Prior 
versions, and other programs sharing the SQL-Ledger parentage are not 
affected (though there are other security issues with LedgerSMB 1.0.x - 
1.1.x.

By passing a specially crafted URL to the program, it is possible to get 
it to circumvent the normal authentication checks and instead perform 
any other arbitrary action within its own programming.  It allows in 
particular:
1)  Non-authenticated users to gain access to templates, etc. and use 
this as a vector for further attacks and
2)  Allow legitimate users to masquerade as eachother, and thus make any 
evidence of wrongdoing (such as embezzlement) appear to be tied to any 
other legitimate user. 

This is the most important security vulnerability since 1.1.5 and all 
users are advised to upgrade immediately.

Best Wishes,
Chris Travers

--------------040907010501000807040402
Content-Type: text/x-vcard; charset=utf-8;
 name="chris.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="chris.vcf"

begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@metatrontech.com 
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard


--------------040907010501000807040402--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.