Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Trevor,

> How do they get past the username and login required by the Secure
> server? If people use the same username and password for ALL access then
> they deserve to be shafted but using a separate username and password
> for the secure server login to that required by SQL-Ledger WILL protect
> them!

Let me see if I can explain it clearly.

The current identity cookie used by SQL-Ledger is very simple and easy to 
reverse engineer (guess) if you just know someone's user name.   Thus, if 
you have any access to the web server at all ... you don't need even a 
valid login ... you can forge the cookie and assume that user's identity 
if they've been logged in recently.  That's called "session hijacking".   
It can be used either for an outside attacker to get into SQL-Ledger, or 
(more likely) for an internal user to escalate their permissions.

Chris's patch makes the cookie harder to guess/forge, making session 
hijacking by cookie forging much more difficult.  It does *not* protect 
against the other likely source of session hijacking, which is browser 
compromises which let a remote attacker read the cookies on your machine.  
Combined with SSL, Chris's patch should make session hijacking difficult 
enough that attackers will look for other means of access.

Does that help any?

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco