lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <469D6513.9030500@metatrontech.com>
Date: Tue, 17 Jul 2007 17:55:47 -0700
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: Clarifications on LedgerSMB vulnerability with Bugtraq ID:24940

Hi all;

The LedgerSMB team is still working on a security advisory which details 
the exact nature of the security vulnerability, how to test for it, 
etc.  We are giving it a couple days to ensure that it is correct and 
well edited, and that administrators have a chance to upgrade before the 
exploit becomes common knowledge.

This email is designed simply to clarify which versions are affected and 
what the scope of the issue.  I expect with in a day or two, the full 
security advisory will be released.

This particular issue only affects versions 1.2.0 through 1.2.6.  Prior 
versions, and other programs sharing the SQL-Ledger parentage are not 
affected (though there are other security issues with LedgerSMB 1.0.x - 
1.1.x.

By passing a specially crafted URL to the program, it is possible to get 
it to circumvent the normal authentication checks and instead perform 
any other arbitrary action within its own programming.  It allows in 
particular:
1)  Non-authenticated users to gain access to templates, etc. and use 
this as a vector for further attacks and
2)  Allow legitimate users to masquerade as eachother, and thus make any 
evidence of wrongdoing (such as embezzlement) appear to be tied to any 
other legitimate user. 

This is the most important security vulnerability since 1.1.5 and all 
users are advised to upgrade immediately.

Best Wishes,
Chris Travers

View attachment "chris.vcf" of type "text/x-vcard" (172 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ