Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 7 Sep 2006, Christopher Murtagh wrote:

> On 9/7/06, Trevor Hennion <tre...@th...> wrote:
> > So using SSL WILL protect MOST of the users of SQL-Ledger -
>
>   No, it will not. If the user can forge the credentials trivially (in
> the case of the current SQL-Leger), adding encryption will not buy you
> ANYTHING. Adding SSL will only be a benefit once some sort of proper
> authentication mechanism is in place.
>
> > Undoubtedly the problem should be fixed - but it does NOT affect all
> > SQL-Ledger users, so I think some proper reporting of the vulnerability
> > is required - currently it sounds like scare mongering - or does it just
> > happen to coincide with this fork?
>
> That is total BS. There are people who are using internet facing
> installations of SL, this can be demonstrated by a google search for
> 'SQL-Ledger version'. They have a right to know that their application
> is severely flawed. Numerous attempts to get Dieter to fix this
> problem have been ignored, only by going public with this did he start
> to make noises about fixing it. While we were talking to him off list
> about it, he kept on insisting that it wasn't a security problem. If
> this is so, why is he fixing it now that it is public? It's either a
> problem or it's not.

This is simply a lie. I looked at this and started on a bug fix the minute
it came to my attention. I told you to submit a patch so we could expedite
this but only after numerous attempts telling you to submit a patch you
finally did, actually it wasn't you but you left it up to Travers to do
the work for you.

-- 
Dieter Simader    http://www.sql-ledger.com   (780) 472-8161
DWS Systems Inc.     Accounting Software       Fax: 478-5281
============ On a clear disk you can seek forever ==========