[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)



On 9/11/06, Richard Patterson <..hidden..> wrote:
Under normal circumstances, HTTP_USER_AGENT would be set... I doubt if
it's a security risk, you would just get an "Unknown terminal"

Yeah, it's not critical at the moment. However, it can lead developers
to make false assumptions which could be dangerous later.

There are a few $ENV vars which are guaranteed to be there under CGI
"DOCUMENT_ROOT", "REQUEST_METHOD", "REMOTE_ADDR", etc...

I think we should check one of these instead, and maybe fail
immediately if it isn't present, since the terminal functionality
seems to be broken.

There is however a *serious* security problem with the way that admin.pl
and login.pl handles the "terminal" variable in the url (try
http://localhost/sql-ledger/login.pl&terminal=../../../../path/to/another/folder)
Very easy to fix, but it's been there for a while.

Ouch, this is really bad. Directory traversal bug. I'll fix this one
today. Thanks!

Cheers,

Chris