[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)



Christopher Murtagh wrote:
> Greetings folks,
>
>  I've noticed something a while back, that's been in the back of my
> mind that I think needs addressing as a potential security problem
> (well, there are lots really, but this one might be critical).
>
>   In many places through the code, Dieter used 'if
> ($ENV{HTTP_USER_AGENT})' to determine if the user is accessing the
> site via a web browser or command line. This, of course is a bad
> assumption to make, because the user can easily not provide a user
> agent, and this will be false. The real question is, is this being
> used in a dangerous way? I'm betting that it just might be.
>   
<snip>
> Now, the question is, do we use a different $ENV var to detect HTTP
> connection from above, or do we use another means? Either way, the 'if
> ($ENV{HTTP_USER_AGENT})' is wrong if not dangerous. As you can see
> from above, this was the output when I ran the script with a custom
> user agent via the Firefox extension 'User Agent Switcher', notice the
> lack of the HTTP_USER_AGENT variable.
>
> We might want to warn Dieter about this, although from the experience
> of the last security notice (both behind the scenes first and after
> the public disclosure), I'm not sure if he'll take it seriously. So,
> unfortunately, this might just be a waste of our time. Tony, your
> rapport with Dieter seems to be better, maybe you might want to let
> him know after we've determined if this is serious or not.
>
>  Thoughts?
>
> Cheers,
>
> Chris
>
>   
Under normal circumstances, HTTP_USER_AGENT would be set... I doubt if
it's a security risk, you would just get an "Unknown terminal"

There are a few $ENV vars which are guaranteed to be there under CGI
"DOCUMENT_ROOT", "REQUEST_METHOD", "REMOTE_ADDR", etc...

There is however a *serious* security problem with the way that admin.pl
and login.pl handles the "terminal" variable in the url (try
http://localhost/sql-ledger/login.pl&terminal=../../../../path/to/another/folder)
Very easy to fix, but it's been there for a while.

Regards

-- 

Richard Patterson          HelpQuick Limited
Tel: 0191 2582888          Fax: 0191 6408666
Jabber chat:  ..hidden..
Web:     http://www.helpquick.co.uk