lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5ed37b141001261056h518a045bs461b4f3d82de7103@mail.gmail.com>
Date: Tue, 26 Jan 2010 10:56:14 -0800
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: More information on CVE-2009-3580

One thing not noted in the security advisory or the full disclosure
email is that there are mitigating features which can be used in
vulnerable programs (SQL-Ledger, unpatched LedgerSMB) to mitigate,
though not eliminate, the risk of XSRF.

Current versions of SQL-Ledger and LedgerSMB have a session time out
option which can be set either by the administrator or by the user.
The session timeout value provides a window during which XSRF attacks
can happen.  In environments where this is a risk (for example, not
including closed networks of POS terminals), this session timeout can
be set low enough to make the attacks impractical.

Since XSRF remains a possibility in less critical areas of the
software in LedgerSMB 1.2, it is advised that administrators take
advantage of this measure as well.

I would generally recommend that SQL-Ledger users set the timeout low,
perhaps to a value between 30 and 120.  The value refers to the
timeout in seconds, so this would require a new password after any
short break.

Properly configured XSRF doesn't have to be a major problem with
either of these packages. However, properly configuring it poses some
significant burdens on employees so the proper value should be
determined by each customer.  The current default value (3600) which
sets the default value to one hour is way to high though.  This issue
will be documented as an issue in future versions of LedgerSMB.

Best Wishes,
Chris Travers

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ