Menu
▾
▴
Re: [SL] SQL-Ledger vulnerability CVE-2006-4244
|
From: David T. <ta...@ex...> - 2006-09-07 22:20:34
|
Well from watching this on the sidelines, and based on a couple of emails to Chris and others ... On Thu, 2006-09-07 at 17:41 -0400, Christopher Murtagh wrote: > On 9/7/06, Trevor Hennion <tre...@th...> wrote: > > So using SSL WILL protect MOST of the users of SQL-Ledger - > > No, it will not. If the user can forge the credentials trivially (in > .... Many thanks to Chris T and Chris M for raising this issue, especially for going to such lengths to fully explaining to us exactly what the problem is and how it happens and how and why their fix works, oh and actually providing a fix. I feel a lot more confident knowing other people with clear insight into this aspect of web applications are making the effort to contribute something positive. (Plus now I have a much better idea about exactly what cookies are and how they can work, or not.) > > is required - currently it sounds like scare mongering - or does it just > > happen to coincide with this fork? > > That is total BS. >From what I have seen, I have to agree. It is apparent to me that the fork was caused partly as a result of there not looking like any fix being provided by Dieter, not the other way around. To suggest scare mongering it inappropriately offensive. More importantly though: It also appears that the fork was caused by a perception that requests for fixes/patches/enhancements were going nowhere, and even sensible discussion on an issue was simply not happening. This is certainly not the first time I have seen this happen here, and I guess one day, inevitably it will lead to a successful open source accounting system project springing up somewhere. Whether LedgerSMB will be that project is to be seen. In the meantime, today, I still find nothing (yet) to match sql-ledger... and believe me, due to the way this project is run, I for one, and I am sure many others, do keep looking. |
