User: Password:
Subscribe / Log in / New account


SQL-Ledger and LedgerSMB: a study in security reporting

March 21, 2007

This article was contributed by Jake Edge.

Accounting information is the kind of data that most organizations would want to keep private; it is also information that attackers might be most interested in. Because of that, security vulnerabilities in accounting packages require high visibility and prominent announcements so that users can take the appropriate steps to safeguard their data. Two related accounting systems, SQL-Ledger and LedgerSMB provide an interesting contrast in approaches to security reporting.

SQL-Ledger is a GPL-licensed accounting system first released in 1999; it has a large feature set and a sizable number of happy and loyal users. It is a web-based program, written in Perl that uses an SQL database to store the information. The original intent seems to be a system that lived behind a firewall and was not exposed to the Internet; most of the vulnerabilities reported recently have a much reduced impact behind the firewall. In fact, buried at the end of the FAQ, SQL-Ledger recommends using the web server authentication mechanisms (presumably HTTP Basic Auth for Apache) on top of those provided by SQL-Ledger.

SQL-Ledger is tightly controlled by its creator, Dieter Simader, and he has not encouraged a developer community to spring up around the system. This has caused some users to become frustrated with the pace of development; it doesn't help that the suggested way to get features added more quickly is to pay Simader's company to develop them. In addition, the documentation, user forums and wiki are only available to those who pay for them. There is nothing inherently wrong with doing things this way, but it is quite different than the way most GPL projects operate.

The project continued in this manner for quite some time until a reported session hijacking issue was not handled quickly by Simader. Another user mentioned that the issue had been known for a lot longer as they had reported it nearly a year earlier and, though there had been several releases in the interim, no fix had been made. This incident led directly to the September 2006 fork of the SQL-Ledger code as the LedgerSMB (SMB for 'small-medium business') project.

The LedgerSMB developers have created a project that operates the way open source developers expect, with open documentation, a public source code repository and a willingness to accept patches from anyone interested. They have also been doing an informal security audit of the shared codebase and coordinating security releases with SQL-Ledger. They have released a number of detailed vulnerability reports on the Bugtraq mailing list that cover security updates for both projects.

Visiting each project's homepage is very instructive with regards to the security updates. The SQL-Ledger page makes no mention of updates; one must follow the "What's New" link to see the updates and the descriptions make no mention of the security implications of the release. A user could easily be lulled into thinking that "added %00 check for login to trigger an error" is just a run-of-the-mill bug fix rather than a fix for an arbitrary code execution and authentication bypass bug as described in the report.

The LedgerSMB site, on the other hand, has its news listed on the front page and calls the most recent security release (1.1.10) a fix for "a serious security hole." The users and announce mailing lists both have detailed reports about the problem whereas the SQL-Ledger public user mailing list makes no mention of the new release. One presumes and hopes that the users who have purchased support get some kind of notification from DWS Systems (Simader's company), but the non-paying users need to pay close attention to Bugtraq (or the LedgerSMB site).

In many ways, the contrast between the two mirrors the contrast between how open source and proprietary software projects handle security issues. One disseminates the information far and wide while the other treats it as a public relations black eye and obscures it. DWS Systems is presumably trying to protect its income stream but, by doing it in the way it has, it appears to have alienated a segment of its user base which is now directly competing with the company. Had Simader been more responsive to those issues, there very well might not be a competing project. It will be interesting to see which approach works better in the long term or if both thrive equally.

Comments (5 posted)

Brief items

Felten: Too much innovation in the OLPC?

Ed Felten questions the OLPC security model. His problem is not with specifics of the model itself, but rather with an overall sense of second system syndrome. "OLPC needs to be innovative in some areas, but I don't think security is one of them. Sure, it would be nice to have a better security model, but until we know that model is workable in practice, it seems risky to try it out on millions of kids." (LWN covered the OLPC security model in February).

Comments (15 posted)

New vulnerabilities

asterisk: SIP denial of service

Package(s):asterisk CVE #(s):CVE-2007-1306
Created:March 19, 2007 Updated:March 21, 2007
Description: The MU Security Research Team discovered that Asterisk contains a NULL-pointer dereferencing error in the SIP channel when handling request messages. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP request message.
Gentoo 200703-14 asterisk 2007-03-16

Comments (2 posted)

inkscape: format string vulnerabilities

Package(s):inkscape CVE #(s):CVE-2007-1463 CVE-2007-1464
Created:March 21, 2007 Updated:April 16, 2007
Description: Inkscape has a format string vulnerability in its URI handling, possibly allowing an attacker to execute code with user privileges via a specially crafted file.

Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors.

Gentoo 200704-10 inkscape 2007-04-16
rPath rPSA-2007-0061-1 inkscape 2007-03-28
Foresight FLEA-2007-0002-1 inkscape 2007-03-24
Mandriva MDKSA-2007:069 inkscape 2007-03-22
Ubuntu USN-438-1 inkscape 2007-03-20

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2007-0005 CVE-2007-1000
Created:March 15, 2007 Updated:November 14, 2007
Description: The Linux kernel has a boundary error problem with the Omnikey CardMan 4040 driver read and write functions. This can be used to cause a buffer overflow and possible execution or arbitrary code with kernel privileges.

The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference. Local users can use this to crash the kernel or to disclose kernel memory.

Fedora FEDORA-2007-599 kernel 2007-06-21
Ubuntu USN-489-1 linux-source-2.6.15 2007-07-19
Ubuntu USN-486-1 linux-source-2.6.17 2007-07-17
Debian DSA-1286-1 linux-2.6 2007-05-02
Red Hat RHSA-2007:0169-01 kernel 2007-04-30
Mandriva MDKSA-2007:078 kernel 2007-04-04
Fedora FEDORA-2007-336 kernel 2007-03-14
Fedora FEDORA-2007-335 kernel 2007-03-14

Comments (none posted)

libwpd: buffer overflows

Package(s):libwpd CVE #(s):CVE-2007-0002
Created:March 16, 2007 Updated:April 9, 2007
Description: iDefense reported several overflow bugs in libwpd. An attacker could create a carefully crafted Word Perfect file that could cause an application linked with libwpd, such as OpenOffice, to crash or possibly execute arbitrary code if the file was opened by a victim.
Gentoo 200704-07 libwpd 2007-04-06
Slackware SSA:2007-085-02 libwpd 2007-03-27
Fedora FEDORA-2007-351 libwpd 2007-03-19
Fedora FEDORA-2007-350 libwpd 2007-03-19
Ubuntu USN-437-1 libwpd 2007-03-19
Debian DSA-1268-1 libwpd 2007-03-17
Mandriva MDKSA-2007:064 2007-03-16
Mandriva MDKSA-2007:063 libwpd 2007-03-16
rPath rPSA-2007-0057-1 libwpd 2007-03-16
Red Hat RHSA-2007:0055-01 libwpd 2007-03-16

Comments (none posted)

lookup-el: insecure temporary file

Package(s):lookup-el CVE #(s):CVE-2007-0237
Created:March 19, 2007 Updated:December 10, 2007
Description: Tatsuya Kinoshita discovered that Lookup, a search interface to electronic dictionaries on emacsen, creates a temporary file in an insecure fashion when the ndeb-binary feature is used, which allows a local attacker to craft a symlink attack to overwrite arbitrary files.
Gentoo 200712-07 lookup 2007-12-09
Debian DSA-1269-1 lookup-el 2007-03-18

Comments (none posted)

LSAT: insecure temporary file creation

Package(s):lsat CVE #(s):
Created:March 19, 2007 Updated:March 21, 2007
Description: LSAT insecurely writes in /tmp with a predictable filename. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When the LSAT script is executed, this would result in the file being overwritten with the rights of the user running the software, which could be the root user.
Gentoo 200703-20 lsat 2007-03-18

Comments (none posted)

nas: code execution

Package(s):nas CVE #(s):CVE-2007-1543 CVE-2007-1544 CVE-2007-1545 CVE-2007-1546 CVE-2007-1547
Created:March 21, 2007 Updated:April 24, 2007
Description: The Network Audio System daemon has a number of vulnerabilities which can be exploited to run arbitrary code or force a crash.
Gentoo 200704-20 nas 2007-04-23
rPath rPSA-2007-0067-1 nas 2007-04-04
Foresight FLEA-2007-0007-1 nas 2007-04-03
Ubuntu USN-446-1 nas 2007-03-28
Debian DSA-1273-1 nas 2007-03-27
Mandriva MDKSA-2007:065 nas 2007-03-20

Comments (none posted)

openafs: privilege escalation

Package(s):openafs CVE #(s):CVE-2007-1507
Created:March 21, 2007 Updated:April 4, 2007
Description: The handling of setuid files in the OpenAFS filesystem is flawed in such a way that a sufficiently clever attacker could make an arbitrary executable file to appear to be setuid.
Gentoo 200704-03 openafs 2007-04-03
Mandriva MDKSA-2007:066 openafs 2007-03-20
Debian DSA-1271-1 openafs 2007-03-20

Comments (none posted) buffer overflow and command execution

Package(s) CVE #(s):CVE-2007-0238 CVE-2007-0239
Created:March 21, 2007 Updated:April 17, 2007
Description: The StarCalc parser in suffers from an "easily exploitable" stack overflow which could be exploited (via a malicious document) to execute arbitrary code.

Additionally, there is a failure to escape shell metacharacters in URLs, exposing users to command execution by way of hostile links.

Gentoo 200704-12 openoffice 2007-04-16
rPath rPSA-2007-0070-1 2007-04-09
Mandriva MDKSA-2007:073 2007-03-29
Foresight FLEA-2007-0004-1 2007-03-29
Ubuntu USN-444-1 2007-03-27
Debian DSA-1270-2 2007-03-28
Fedora FEDORA-2007-376 2007-03-27
Fedora FEDORA-2007-375 2007-03-27
Red Hat RHSA-2007:0069-01 2007-03-22
Red Hat RHSA-2007:0033-01 2007-03-22
SuSE SUSE-SA:2007:023 2007-03-21
Debian DSA-1270-1 2007-03-20

Comments (none posted)

ssh: privilege escalation

Package(s):ssh CVE #(s):CVE-2006-0705
Created:March 15, 2007 Updated:March 21, 2007
Description: The SSH server has a format string vulnerability in the SFTP code for scp2 and sftp2. The accessed filename can be passed to the system log, an unspecified error could allow uncontrolled stack access. Authenticated users may be able to use this to bypass command restrictions or run commands as another user.
Gentoo 200703-13 ssh 2007-03-14

Comments (none posted)

webcalendar: missing input sanitizing

Package(s):webcalendar CVE #(s):CVE-2007-1343
Created:March 16, 2007 Updated:March 21, 2007
Description: It was discovered that WebCalendar, a PHP-based calendar application, insufficiently protects an internal variable, which allows remote file inclusion.
Debian DSA-1267-1 webcalendar 2007-03-15

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds