Hi all;

It has been brought to our attention that a number of security
vulnerabilities have been noted in SQL-Ledger.  Several of these
affect earlier versions of LedgerSMB, and three hotfixes have been
released for problems that continue to affect the LedgerSMB codebase.

As always, we highly recommend testing all hotfixes before applying
them to a production environment.

The CVE's mentioned here are the ones attached to SQL-Ledger.  Subtle
differences as to how these affect LedgerSMB are noted below.

These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)

All five of have been patched, either in stable versions or in
hotfixes.  Please read below for more information.

* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)

In this vulnerability, an individual, either through HTML injection in
the application, or through a script from a third party web site,
cause an http request to be made that would set a user's password to
an arbitrary value.

This affects all production versions of LedgerSMB.  A hotfix has been
released but has not been put through full regression testing at this
time.  Furthermore this hotfix breaks our traditional string freeze
because it requires adding a new input to the preferences screen and
so may cause minor issues with localization.  Individuals with such
problems are encouraged to contact the users list.

To apply the fix, either email chris@metatrontech.com to have it
emailed to you or download the latest of the following files from svn
(branches/1.2):

bin/am.pl
LedgerSMB/AM.pm

A fix has been applied to the 1.3 codebase as well.  Users of 1.3
prerelease versions should update to the most recent SVN revisions.

Note that CSRF/XSFR issues remain a possibility even with this, but
some controls and protections are available in the software, if
properly configured.  In particular, if you set the session timeout to
a sane value, the window for exploiting existing sessions is far
narrower.  The main effect of this fix is to prevent this sort of
attack from changing a user's password and thus gaining entry to the
system.

There are minor differences between how LedgerSMB and SQL-Ledger
mitigate this risk in production versions.  In particular, we limit a
user to a single login session, and an attempt to change that login
session times out the session.  This makes the issue more difficult to
exploit on LedgerSMB systems generally.

* SQL Injection (CVE-2009-3582)

This affects all production versions, and does not affect 1.3
prerelease versions at all.  The contact management module depends on
table information submitted by the user and this is not properly
sanitized.  A user could perform arbitrary database commands including
deleting or inserting data into arbitrary tables.

A hotfix has been released but has not been fully regression tested.
To obtain the hotfix please email chris@metatrontech.com or download
the latest version of the  following file from svn (branches/1.2):
LedgerSMB/CT.pm

In SQL-Ledger (and in LedgerSMB prior to 1.2.0), this injection can be
used to delete an arbitrary set of rows from any table containing an
id field.  In LedgerSMB 1.2.x, the vulnerability is more limited.
While arbitrary tables can be selected, one is limited to deleting one
row at a time by the id field.  Also in 1.2.0, only the delete
function is believed to be exploitable while the update function might
be as well in past versions.

* Local File Include (CVE-2009-3583)

This affects versions of LedgerSMB prior to 1.2.0.  If you are using a
version prior to 1.2.0, please upgrade.

* Default Administrator Password Weakness (CVE-2009-4402)

This affects versions of LedgerSMB prior to 1.2.0.  If you are using a
version prior to 1.2.0, there are many critical fixes you are missing
out on.  If you absolutely cannot upgrade, Please make sure the
administrator password has been properly set.

* Secure flag not set on cookie (CVE-2009-3584).

This affects all versions of LedgerSMB.  The effect is that a session
cookie, which could be used to grant access to the system, could be
hijacked.  The risk on LedgerSMB is less than on SQL-Ledger because we
require serial requests in 1.2, and the cookie is not sufficient to
gain access to anything in 1.3.  In essence, on an unpatched system,
an individual would have to guess the request number and and send it
along. While the range here is limited, it does take some extra work
and adds some complexity to the attack.

In a patched system, the secure flag is set only when using HTTPS to
access LedgerSMB.  However, an incorrect  guess as to the request
number deletes the user session and requests a password from the user.

To obtain the hotfix either email me at the address mentioned above or
download the most recent file from svn (branches/1.2):
LedgerSMB/Session/DB.pm.

Sincerely,
Chris Travers
The LedgerSMB Team