Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tony,

> Also let me say that I have been in contact with Dieter off list and he
> is working diligently on a more secure authentication system. I think
> both of us agree that it won't be to simply adopt this patch though.

Agreed, but the patch is available immediately and does improve things 
considerably by not making it trivial to forge an identity cookie.

I'll actually be contributing further (on LedgerSMB, but you can pull down 
the code if you want) to this since I know that the PG random number 
generator isn't strong enough.  Generally, I do a combination of things:

1) Pick a random number and bitshift/modulo/log it by the User's ID and/or 
the unixtimestamp, which improves the randomness, as the session key;

2) Track the timestamp of last activity and last IP for each user, expiring 
the user if the timestamp ages over a preset value or the IP address 
changes subnets (or changes at all, if roaming_users is not permitted);

3) Require all four pieces of information (user_id, session key, timestamp 
and IP address) to be validated via secured stored procedure against the 
database (against tables the webuser has no access rights for) to load 
each page.

Short of requiring public key encryption or other sophisticated security on 
the client, the above is about as much as you can do to lock up a PHP 
application.

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco