From: Trevor H. <tre...@th...> - 2006-09-07 22:06:39
|
Christopher Murtagh wrote: > On 9/7/06, Trevor Hennion <tre...@th...> wrote: >> So using SSL WILL protect MOST of the users of SQL-Ledger - > > No, it will not. If the user can forge the credentials trivially (in > the case of the current SQL-Leger), adding encryption will not buy you > ANYTHING. Adding SSL will only be a benefit once some sort of proper > authentication mechanism is in place. > >> Undoubtedly the problem should be fixed - but it does NOT affect all >> SQL-Ledger users, so I think some proper reporting of the vulnerability >> is required - currently it sounds like scare mongering - or does it just >> happen to coincide with this fork? > > That is total BS. There are people who are using internet facing > installations of SL, this can be demonstrated by a google search for > 'SQL-Ledger version'. They have a right to know that their application > is severely flawed. Numerous attempts to get Dieter to fix this > problem have been ignored, only by going public with this did he start > to make noises about fixing it. While we were talking to him off list > about it, he kept on insisting that it wasn't a security problem. If > this is so, why is he fixing it now that it is public? It's either a > problem or it's not. > > Cheers, > > Chris > How do they get past the username and login required by the Secure server? If people use the same username and password for ALL access then they deserve to be shafted but using a separate username and password for the secure server login to that required by SQL-Ledger WILL protect them! Seems like I've touched a raw nerve! Good night Trevor Hennion http://www.infocentrality.co.uk |