ACLS ineffective in SQL-Ledger and LedgerSMB



Hi all;

I have decided to finally send to this list a serious security flaw in the design of SQL-Ledger (all versions). LedgerSMB (all versions) is also affected but the problem (with a workaround) has been mentioned in our documentation since the fork. Ordinarily I would not make a big deal out of this (since we are already clear about why we suggest using db accounts for security), but I feel that DWS is misrepresenting the security of SQL-Ledger and I think people need to be aware of the risk.

The access control lists associated with users in SQL-Ledger and LedgerSMB do nothing more than enable or disable menu items. They do not, however, actually prevent access to the application in any meaningful way. The reason is that none of the application's functions actually check the access control lists before executing. For this reason, anyone can access any other part of the application simply by typing the required URL in the address bar (to get a valid url, try right-clicking on the data-entry frame and select "Show only this frame" in Firefox).

Again, my big issue isn't that this is broken in SQL-Ledger but that the author seems content to let people not know that it is broken and that there are ways to properly secure it. The access control feature is advertised at http://sql-ledger.com/cgi-bin/nav.pl?page=feature/multiuser.html&title=Multi-user

As for a workaround, we have always suggested that this feature is inadequate for security purposes and that roles need to be isolated into separate database accounts (which the application does support). However, this process is cumbersome. The LedgerSMB project intends to automate this process properly in 1.3.0 (perhaps six months away).

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard



Relevant Pages

  • HTML: Bioscrypt
    ... verification technology for commercial applications including access control, ... f_move2cart_form_alias1('22091', true, 'There is a missing required Option. ... Add Biometric Security to Your Existing Security System in a Snap"><h4 ... This reader eliminates the need for PINs, ...
    (alt.security.alarms)
  • RE: Data Theft
    ... Subject: Data Theft ... for defining security pollicies, conduct security audit regularly ... Define the access control policies based on the clause b in section ... Find a proper DLP tool to deploy. ...
    (Security-Basics)
  • Re: Data Theft
    ... for defining security pollicies, conduct security audit regularly ... Define the access control policies based on the clause b in section ... Find a proper DLP tool to deploy. ...
    (Security-Basics)
  • Re: (Security Regression Testsuites)Request for comments
    ... The security subsystem in FreeBSD is large, which area deserves a testsuite in higher priority. ... the real policies implement the desired access control. ... Add a set of user space tests to confirm that audit record preselection is ...
    (FreeBSD-Security)
  • Full disclosure: Directory Transversal and Arbitrary Code Execution Vulnerability in SQL-Ledger
    ... Another security issue has been found in LedgerSMB < 1.1.5 and all versions of SQL-Ledger which allows an attacker to engage in directory transversal, retrieval of sensitive information, user account fabrication, or even arbitrary code execution. ... The stripping of such "dangerous" elements involves first stripping the $userpath and then the $memberfile and then opening the file that remains. ... You can also retrieve the memberfile by using the path of file=useuserusers/memberssrs/members. ...
    (Bugtraq)