[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)



Ok.  We need to fix the directory transversal bug.  This is a really bad thing.

However, I think that the response to the rest of it should be simply to document that the addition of new paths under bin is deprecated and will be removed in the future so people don't make use this.

Best Wishes,
Chris Travers

On 9/11/06, Christopher Murtagh <..hidden.. > wrote:
On 9/11/06, Richard Patterson < ..hidden..> wrote:
> Under normal circumstances, HTTP_USER_AGENT would be set... I doubt if
> it's a security risk, you would just get an "Unknown terminal"

Yeah, it's not critical at the moment. However, it can lead developers
to make false assumptions which could be dangerous later.

> There are a few $ENV vars which are guaranteed to be there under CGI
> "DOCUMENT_ROOT", "REQUEST_METHOD", "REMOTE_ADDR", etc...

I think we should check one of these instead, and maybe fail
immediately if it isn't present, since the terminal functionality
seems to be broken.

> There is however a *serious* security problem with the way that admin.pl
> and login.pl handles the "terminal" variable in the url (try
> http://localhost/sql-ledger/login.pl&terminal=../../../../path/to/another/folder )
> Very easy to fix, but it's been there for a while.

Ouch, this is really bad. Directory traversal bug. I'll fix this one
today. Thanks!

Cheers,

Chris

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel