Date: Thu, 05 Apr 2007 23:48:25 -0700
From: Chris Travers <chris@metatrontech.com.>
To: [email protected]Subject: ACLS ineffective in SQL-Ledger and LedgerSMB
Content-Type: multipart/mixed;
boundary="------------070905040006070408000600"
X-Brightmail-Tracker: AAAAAA==
X-Virus-Scanned: antivirus-gw at tyumen.ru
This is a multi-part message in MIME format.
--------------070905040006070408000600
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi all;
I have decided to finally send to this list a serious security flaw in
the design of SQL-Ledger (all versions). LedgerSMB (all versions) is
also affected but the problem (with a workaround) has been mentioned in
our documentation since the fork. Ordinarily I would not make a big
deal out of this (since we are already clear about why we suggest using
db accounts for security), but I feel that DWS is misrepresenting the
security of SQL-Ledger and I think people need to be aware of the risk.
The access control lists associated with users in SQL-Ledger and
LedgerSMB do nothing more than enable or disable menu items. They do
not, however, actually prevent access to the application in any
meaningful way. The reason is that none of the application's functions
actually check the access control lists before executing. For this
reason, anyone can access any other part of the application simply by
typing the required URL in the address bar (to get a valid url, try
right-clicking on the data-entry frame and select "Show only this frame"
in Firefox).
Again, my big issue isn't that this is broken in SQL-Ledger but that the
author seems content to let people not know that it is broken and that
there are ways to properly secure it. The access control feature is
advertised at
http://sql-ledger.com/cgi-bin/nav.pl?page=feature/multiuser.html&title=Multi-user
As for a workaround, we have always suggested that this feature is
inadequate for security purposes and that roles need to be isolated into
separate database accounts (which the application does support).
However, this process is cumbersome. The LedgerSMB project intends to
automate this process properly in 1.3.0 (perhaps six months away).
Best Wishes,
Chris Travers
--------------070905040006070408000600
Content-Type: text/x-vcard; charset=utf-8;
name="chris.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="chris.vcf"
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:[email protected]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
--------------070905040006070408000600--
