[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Statement on Shell Shock

Hi all;

A significant vulnerability has been discovered in GNU Bash, which may affect many servers whether or not they run LedgerSMB.  If your system runs GNU Bash (for example, running Linux, *BSD, or Cygwin), you should upgrade as quickly as possible.

Having reviewed the vulnerability report and run some tests, it is clear that LedgerSMB in the tested environments is not directly vulnerable except in cases where a user is already logged into the administrative interface.  Because of the way CGI works, however, I cannot say anything specific about other environments.

The following environments were reviewed and/or tested and confirmed non-vulnerable by members of the core committee:

1.  Installations over fastcgi using our standard plack wrappers.
2.  Installations over starman using our standard plack wrappers.
3.  CGI installations on Apache 2.4.
4.  Nginx and spawn-fcgi

The vulnerability addresses how Bash processes environment variables.  It is present where a program spawns a "shell" which then sets up its environment.  While the implementation may be dependent on the operating system, we do use system() to run some commands in the administrative console.  A strongly mitigating factor of course is this only happens after an administrator is properly authenticated.  In other words, this can only happen once someone has authenticated to the point where he or she is authorized to, among other things, grant access to your accounting database.

For this reason I would not treat this issue as having a significant impact specifically on LedgerSMB installations, provided it is deployed on one of the environments above.  However, as many other portions of your system may be more vulnerable, it is certainly worth correcting right away.

Additionally we cannot confirm that other environments are not vulnerable.

If you would like to confirm whether your own installation can be exploited, you can download source code at http://shellshock.iecra.org/which can be run via python against the login.pl in your LedgerSMB directory.

Best Wishes,
Chris Travers

Efficito:  Hosted Accounting and ERP.  Robust and Flexible.  No vendor lock-in.
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
Ledger-smb-devel mailing list