Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 9/7/06, Tony Fraser <to...@sy...> wrote:
> >  Like I said, this is not a browser or a cookie problem, it is a
> > design flaw in the application, proof being that our patch solves the
> > cookie problem completely.
>                   ^^^^^^^^^
>
> This is simply not true... The patch simply moves the security
> responsibility of existing sessions to rely on the strength of the
> random number generator built into Postgres making it more difficult to
> hijack a valid session. Saving the the session parameters into the
> database does makes it impossible to forge sessions though.

 Which is the problem I was referring to as being solved, and
actually, it doesn't make it 'impossible', but very unlikely,
especially if the communications are via encrypted channels (this is
where SSL would come in Shawn). The easiest vector of attack without
SSL is probalby to sniff packets from the client machine to the
server, but then again, if you can do that the session wouldn't be the
primary target, you could simply get the password. SLL drastically
lowers this risk, with the next attack being either key-capture or a
trojan of some sort.

> These two
> things make this patch stronger than how SQL Ledger works now but it
> doesn't "completely solve the problem". Oh, and the patch removes the
> ability to log into SQL Ledger as more that one user from the same
> browser.

 True, and this will be an inconvienece for the users who need to do
this for sure. However, we felt it was more important to secure the
vast majority of users who use a web based application under a single
role at a time.

 The sane way to fix this isn't through allowing multiple logins via
the same browser however.  The proper way would be to have a decent
role mechanism along with a more robust authentication scheme. Moving
SL to this would be a huge amount of work though, so I wouldn't expect
to see that anytime soon.

> There are other ways to solve the problem.

 That's the Perl motto 'TIMTOWTDI', and I agree 100%. Our fix was a
temporary one to stop the sever bleeding before we take the patient to
surgery since Dieter was doing nothing and had known about it for
months.

> Also let me say that I have been in contact with Dieter off list and he
> is working diligently on a more secure authentication system. I think
> both of us agree that it won't be to simply adopt this patch though.

 Good for him. You are a far more optimistic person than I if you feel
that Dieter is capable of delivering a secure solution. Good luck with
SL, if you ever decide to use LedgerSMB, we will be happy to have you
and to incorporate your feedback.

Cheers,

Chris