what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SQL-Ledger Cross Site Request Forgery / Local File Inclusion / SQL Injection

SQL-Ledger Cross Site Request Forgery / Local File Inclusion / SQL Injection
Posted Jan 26, 2010
Authored by Chris Travers

SQL-Ledger has been patched to address cross site request forgery, local file inclusion, no secure flag on cookie, default administrator password and remote SQL injection vulnerabilities.

tags | advisory, remote, local, vulnerability, sql injection, file inclusion, csrf
advisories | CVE-2009-3580, CVE-2009-3582, CVE-2009-3583, CVE-2009-4402, CVE-2009-3584
SHA-256 | 285bfdfd6459c517b7d7fdad4e66f894515d9a97b2c09fb44c8c4036cdd19c20

SQL-Ledger Cross Site Request Forgery / Local File Inclusion / SQL Injection

Change Mirror Download
Hi all;

It has been brought to our attention that a number of security
vulnerabilities have been noted in SQL-Ledger. Several of these
affect earlier versions of LedgerSMB, and three hotfixes have been
released for problems that continue to affect the LedgerSMB codebase.

As always, we highly recommend testing all hotfixes before applying
them to a production environment.

The CVE's mentioned here are the ones attached to SQL-Ledger. Subtle
differences as to how these affect LedgerSMB are noted below.

These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)

All five of have been patched, either in stable versions or in
hotfixes. Please read below for more information.

* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)

In this vulnerability, an individual, either through HTML injection in
the application, or through a script from a third party web site,
cause an http request to be made that would set a user's password to
an arbitrary value.

This affects all production versions of LedgerSMB. A hotfix has been
released but has not been put through full regression testing at this
time. Furthermore this hotfix breaks our traditional string freeze
because it requires adding a new input to the preferences screen and
so may cause minor issues with localization. Individuals with such
problems are encouraged to contact the users list.

To apply the fix, either email chris@metatrontech.com to have it
emailed to you or download the latest of the following files from svn
(branches/1.2):

bin/am.pl
LedgerSMB/AM.pm

A fix has been applied to the 1.3 codebase as well. Users of 1.3
prerelease versions should update to the most recent SVN revisions.

Note that CSRF/XSFR issues remain a possibility even with this, but
some controls and protections are available in the software, if
properly configured. In particular, if you set the session timeout to
a sane value, the window for exploiting existing sessions is far
narrower. The main effect of this fix is to prevent this sort of
attack from changing a user's password and thus gaining entry to the
system.

There are minor differences between how LedgerSMB and SQL-Ledger
mitigate this risk in production versions. In particular, we limit a
user to a single login session, and an attempt to change that login
session times out the session. This makes the issue more difficult to
exploit on LedgerSMB systems generally.

* SQL Injection (CVE-2009-3582)

This affects all production versions, and does not affect 1.3
prerelease versions at all. The contact management module depends on
table information submitted by the user and this is not properly
sanitized. A user could perform arbitrary database commands including
deleting or inserting data into arbitrary tables.

A hotfix has been released but has not been fully regression tested.
To obtain the hotfix please email chris@metatrontech.com or download
the latest version of the following file from svn (branches/1.2):
LedgerSMB/CT.pm

In SQL-Ledger (and in LedgerSMB prior to 1.2.0), this injection can be
used to delete an arbitrary set of rows from any table containing an
id field. In LedgerSMB 1.2.x, the vulnerability is more limited.
While arbitrary tables can be selected, one is limited to deleting one
row at a time by the id field. Also in 1.2.0, only the delete
function is believed to be exploitable while the update function might
be as well in past versions.

* Local File Include (CVE-2009-3583)

This affects versions of LedgerSMB prior to 1.2.0. If you are using a
version prior to 1.2.0, please upgrade.

* Default Administrator Password Weakness (CVE-2009-4402)

This affects versions of LedgerSMB prior to 1.2.0. If you are using a
version prior to 1.2.0, there are many critical fixes you are missing
out on. If you absolutely cannot upgrade, Please make sure the
administrator password has been properly set.

* Secure flag not set on cookie (CVE-2009-3584).

This affects all versions of LedgerSMB. The effect is that a session
cookie, which could be used to grant access to the system, could be
hijacked. The risk on LedgerSMB is less than on SQL-Ledger because we
require serial requests in 1.2, and the cookie is not sufficient to
gain access to anything in 1.3. In essence, on an unpatched system,
an individual would have to guess the request number and and send it
along. While the range here is limited, it does take some extra work
and adds some complexity to the attack.

In a patched system, the secure flag is set only when using HTTPS to
access LedgerSMB. However, an incorrect guess as to the request
number deletes the user session and requests a password from the user.

To obtain the hotfix either email me at the address mentioned above or
download the most recent file from svn (branches/1.2):
LedgerSMB/Session/DB.pm.

Sincerely,
Chris Travers
The LedgerSMB Team
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    12 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close