Menu
▾
▴
Re: [SL] SQL-Ledger vulnerability CVE-2006-4244
|
From: Hugh E. <he...@re...> - 2006-09-17 15:21:38
|
Hello all: Since the second week of September 2006, our web site has reported: > SQL-Ledger Temporarily Disabled > > On Friday, September 8th, we temporarily disabled access to SQL-Ledger on > the report of a security vulnerability. Multiple developers are now > working on patches. And we are evaluating our options. The open source > community made possible by the GPL license has risen to the challenge. > We're hopeful we can restore services soon and urge you to read on about > what this powerful tool can offer your campaign. But I'm eager to restore services, eager to hear of a patched release and reluctant, given everything else I have on my plate right now, to study a diff between my installed version and the fork at this time. Trevor Hennion's strategy (which would require of me, only the addition of the "AuthType Basic" piece) is so far looking like my best step forward. I'm concerned by something I read once though which suggested that this form of authentication happens before the encrypted connection is made and outside of that tunnel, making it vulnerable to sniffing. Can anyone say definitively whether that is the case? -- Hugh Esco On Sun, September 17, 2006 3:04 am, Trevor Hennion said: > For clarification. > > A .htaccess file in /usr/local/sql-ledger containing something like: > AuthType Basic > AuthName "Accounts" > AuthUserFile /var/www/passwd/passwords > Require valid-user > > Add a line in the sql-ledger-httpd.conf file under: > <Directory /usr/local/sql-ledger> > SSLRequireSSL > > Create the usernames and passwords using Apache's htpasswd utility > -stored in /var/www/passwd/passwords referred to in the .htaccess file > above. > > Choose sensible usernames and passwords - preferably different to the > those used for SQL-Ledger login. > > Create a Digital certificate, and make sure httpd/apache uses it. > > Block port 80, open port 443 > > This assumes you are using a recent version of Apache/httpd > > Or for a lot of users make httpd authenticate access against an LDAP or > AD server. > > You will have two usernames and passwords to enter to use SQL-Ledger, > but your server will be much more secure. > > Regards > Trevor Hennion > http://www.infocentrality.co.uk |
