[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security fix that started all this

On Fri, 2006-09-08 at 16:34 -0700, Tony Fraser wrote:
> >         You still would be able to pass the sessionid around in the
> >         URL to rid the need for cookies. Similiar to how the
> timestamp
> >         was done in the past.  But we could remove the timeout &
> login
> >         information and keep that server side. 
> I don't use a session id. I'll post the patch over the weekend some
> time. I don't have time to clean it up and ready for public
> consumption
> right now.

For those who want to see it you can download a copy from here:


It's cleaned up quite a bit from the last version I gave Dieter but it
functions the same. It applies cleanly to SQL Ledger 2.6.17.

It doesn't address admin.pl at all. I'm not even sure if admin.pl will
work unmodified with the changes that I've made to the rest of the code.

If anyone does apply it they need to now that they need to make a
special effort to protect the contents of the .conf files in the users
directory with this patch. If someone can read those files then this
patch is no more secure than an unpatched SQL Ledger 2.6.17.

This is the end of this patch as far as I'm concerned. I'm not going to
update it unless either LedgerSMB or SQL Ledger developers show me some
interest in merging it into a distribution. I think I'm going to focus
my available resources on maintaining a patch to the current version of
SQL Ledger that removes all authentication from the app leaving it to
rely on $ENV{REMOTE_USER} and the use of external authentication
mechanisms. I've seen a few request for that on sql-ledger-users now and
it's something I've thought would be a good option for quite a while.

I will be keeping an eye on LedgerSMB as well. If I see significant
positive progress I will switch but at the moment I am going to continue
using SQL Ledger for my accounting needs. At this point I'm just not
clear on what direction LedgerSMB is going.

Tony Fraser
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398