[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)

On Monday 11 September 2006 10:50, Christopher Murtagh wrote:
> Greetings folks,

>   In many places through the code, Dieter used 'if
> ($ENV{HTTP_USER_AGENT})' to determine if the user is accessing the
> site via a web browser or command line. This, of course is a bad
> assumption to make, because the user can easily not provide a user
> agent, and this will be false. The real question is, is this being
> used in a dangerous way? I'm betting that it just might be.

In Form.pm, it's interesting that if($ENV{HTTP_USER_AGENT}) is not set, it 
goes down a code path that checks and executes $form->{error_function} (and 
info_function).  Also note, error_function doensn't appear to be set anywhere 
else in the code.  And to top things off, the CGI query parser copies in all  
query params into $form->{} as a first step.

I wonder if you could set error_function to something dangerous through CGI 
params ....

> We might want to warn Dieter about this, although from the experience
> of the last security notice (both behind the scenes first and after
> the public disclosure), I'm not sure if he'll take it seriously. So,
> unfortunately, this might just be a waste of our time. Tony, your
> rapport with Dieter seems to be better, maybe you might want to let
> him know after we've determined if this is serious or not.

I think a nice courteous email wouldn't hurt, after all he has done most of 
the work on the LedgerSMB codebase up till now.  Just don't be smug about it.