[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Recommendations for upgrading for SQL-Ledger users

On 4/24/07, David Tangye <..hidden..> wrote:
On Tue, 2007-04-24 at 19:12 -0700, Chris Travers wrote:
> > If I convert my 2.6.x SL to 1.1.12 LS and I don't feel I have
> > compelling reasons to go to 1.2 at this time, would I be converting down
> > the road to a more stable 1.2 and then to 1.3?
> Yes.  The database schema is not expected to change in any significant
> way before 1.3
I was just about to suggest that from what I had seen here, that the
best migration path that is manageable by LSMB in terms of scripting
logic, sounded like "always go to LSMB 1.1.12".

No, that is not correct.  In SL and LSMB 1.1.x, it is *trivial* for
people to post fraudulant transactions.  Not only can someone embezzle
money, but that person can pin it on someone else.  If this is a
concern, neither SQL-Ledger nor LSMB 1.1.x is an option.

And SQL-Ledger security is even worse.  A malicious user with a valid
login can do all kinds of horrible things (log in as someone else,
execute arbitrary code on the web server, change/delete other peoples'
passwords, etc).

In my view, you have to balance the need for an easy installation
against the need for any security of any audit trail.  LSMB 1.1.x and
SQL-Ledger (any version) do not offer that assurance.

Nor does SQL-Ledger offer any assurance of the security of the web
server.  For more details, please do a search on my bugtraq posts.
Many of these contain full disclosure including steps necessary to
exploit these problems.

So, if you need the security of your audit trail (a very common and
basic requirement for systems with more than one user), these versions
are not good enough.

If you only have 1 user of the system then these options are good
enough, if you have more, then you need to think long and hard before
deciding *not* to go to 1.2.0.

Let me repeat this loud and clear in case you haven't been paying
attention:  There are known and public problems with LedgerSMB 1.1.12
from a security perspective.  Although the vulnerabilities subject to
full disclosure are not in 1.1.12, the vulnerabilities are
sufficiently trivial to find and exploit that you are effectively on
your own security-wise.   Though these are less than with any version
of SQL-Ledger, if you want to use that version, please don't come
crying to me if someone wants to pin the embezzlement on someone else.

In short, if ease of installation is more important than the security
of your finances, go with 1.1.12.  If security is more important go
with 1.2.x.  But that choice is yours and I cannot make it for you.

Best Wishes,
Chris Travers