Menu
▾
▴
Re: [SL] SQL-Ledger vulnerability CVE-2006-4244
|
From: Gavin C. <ga...@op...> - 2006-09-08 00:19:06
|
On Thu, Sep 07, 2006 at 11:06:30PM +0100, Trevor Hennion wrote: > Christopher Murtagh wrote: > > On 9/7/06, Trevor Hennion <tre...@th...> wrote: > >> So using SSL WILL protect MOST of the users of SQL-Ledger - > > > > No, it will not. If the user can forge the credentials trivially (in > > the case of the current SQL-Leger), adding encryption will not buy you > > ANYTHING. Adding SSL will only be a benefit once some sort of proper > > authentication mechanism is in place. > > > >> Undoubtedly the problem should be fixed - but it does NOT affect all > >> SQL-Ledger users, so I think some proper reporting of the vulnerability > >> is required - currently it sounds like scare mongering - or does it just > >> happen to coincide with this fork? > > > > That is total BS. There are people who are using internet facing > > installations of SL, this can be demonstrated by a google search for > > 'SQL-Ledger version'. They have a right to know that their application > > is severely flawed. Numerous attempts to get Dieter to fix this > > problem have been ignored, only by going public with this did he start > > to make noises about fixing it. While we were talking to him off list > > about it, he kept on insisting that it wasn't a security problem. If > > this is so, why is he fixing it now that it is public? It's either a > > problem or it's not. > > How do they get past the username and login required by the Secure server? > If people use the same username and password for ALL access then they > deserve to be shafted but using a separate username and password for the > secure server login to that required by SQL-Ledger WILL protect them! > > Seems like I've touched a raw nerve! You have touched a raw nerve because you are spreading FUD rather than contributing to people understanding the problem. Adding SSL to the mix does nothing to protect you against an authentication problem like this. SSL secures the transport, not the authentication mechanism. They're different things. If you are saying that you have added an additional *authentication* layer on top the of standard SL one, then you have two-layer authentication and you probably *are* cushioned from the impact of this SL vulnerability. But the SL vulnerability stands, and it is your additional authentication layer that is protecting you. Most SL installations (particularly those of less technical users) won't have this extra layer, and the vulnerability should be reported and treated seriously. Cheers, Gavin -- Gavin Carr Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ] http://www.openfusion.com.au - Fashion is a variable, but style is a constant - Programming Perl |
