Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Fri, 2006-09-08 at 09:31 +1000, GeorgeOsvald wrote:

> What I say is that 
> there is a lot more to security then just the application itself. Anyone who 
> just slaps anything on a web server without any additional precautions is 
> naive. Dieter does behave strangely sometimes I admit but he can not be held 
> responsible for every one who just blindely installs SL and then hopes for 
> the best. 
I think I probably disagree here. I SHOULD be able to just slap SL onto
my machine and be safe. You see my machine is behind a firewall, but if
I open the web ports, the webserver is till safe due to it being
installed as recommended, excepting for the SL part, ie all my account
data! Why? Because the SL security is not as per how LedgerSMB does it,
or equivalent.

> I understand that there is a problem, my point is though that if 
> your server is safe there is no way anyone from outside (not an employee) can 
> do anything if your setup is half sane.
Hmm. Sorry, this is too simplistic to be of any help to me. Hopefully,
if you read what I write above it should be apparent why. In a nutshell
the contention is that the server is safe except for the SL part,
because its setup is not half sane.