[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential security issue with LedgerSMB (inherited from SL)
- Subject: Re: Potential security issue with LedgerSMB (inherited from SL)
- From: Jason Rodrigues <..hidden..>
- Date: Mon, 11 Sep 2006 11:55:53 -0400
On Monday 11 September 2006 10:50, Christopher Murtagh wrote:
> Greetings folks,
> In many places through the code, Dieter used 'if
> ($ENV{HTTP_USER_AGENT})' to determine if the user is accessing the
> site via a web browser or command line. This, of course is a bad
> assumption to make, because the user can easily not provide a user
> agent, and this will be false. The real question is, is this being
> used in a dangerous way? I'm betting that it just might be.
In Form.pm, it's interesting that if($ENV{HTTP_USER_AGENT}) is not set, it
goes down a code path that checks and executes $form->{error_function} (and
info_function). Also note, error_function doensn't appear to be set anywhere
else in the code. And to top things off, the CGI query parser copies in all
query params into $form->{} as a first step.
I wonder if you could set error_function to something dangerous through CGI
params ....
> We might want to warn Dieter about this, although from the experience
> of the last security notice (both behind the scenes first and after
> the public disclosure), I'm not sure if he'll take it seriously. So,
> unfortunately, this might just be a waste of our time. Tony, your
> rapport with Dieter seems to be better, maybe you might want to let
> him know after we've determined if this is serious or not.
I think a nice courteous email wouldn't hurt, after all he has done most of
the work on the LedgerSMB codebase up till now. Just don't be smug about it.
Jason