Security advisory: Multiple Vulnerabilities

Hi all;

It has been brought to our attention that a number of security vulnerabilities have been noted in SQL-Ledger. Several of these affect earlier versions of LedgerSMB, and three hotfixes have been released for problems that continue to affect the LedgerSMB codebase.

As always, we highly recommend testing all hotfixes before applying them to a production environment.

The CVE's mentioned here are the ones attached to SQL-Ledger. Subtle differences as to how these affect LedgerSMB are noted below.

These vulnerabilities include:
* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)
* SQL Injection (similar to CVE-2009-3582)
* Local File Include (CVE-2009-3583)
* Default Administrator Password Weakness (CVE-2009-4402)
* No secure flag on cookie when (CVE-2009-3584)

All five of have been patched, either in stable versions or in hotfixes. Please read below for more information.

* No Cross-Site-Request-Forgery (XSRF) protection (CVE-2009-3580)

In this vulnerability, an individual, either through HTML injection in the application, or through a script from a third party web site, cause an http request to be made that would set a user's password to an arbitrary value.

This affects all production versions of LedgerSMB. A hotfix has been released but has not been put through full regression testing at this time. Furthermore this hotfix breaks our traditional string freeze because it requires adding a new input to the preferences screen and so may cause minor issues with localization. Individuals with such problems are encouraged to contact the users list.

To apply the fix, either email chris@metatrontech.com to have it emailed to you or download the latest of the following files from svn (branches/1.2):

bin/am.pl
LedgerSMB/AM.pm

A fix has been applied to the 1.3 codebase as well. Users of 1.3 prerelease versions should update to the most recent SVN revisions.

Note that CSRF/XSFR issues remain a possibility even with this, but some controls and protections are available in the software, if properly configured. In particular, if you set the session timeout to a sane value, the window for exploiting existing sessions is far narrower. The main effect of this fix is to prevent this sort of attack from changing a user's password and thus gaining entry to the system.

There are minor differences between how LedgerSMB and SQL-Ledger mitigate this risk in production versions. In particular, we limit a user to a single login session, and an attempt to change that login session times out the session. This makes the issue more difficult to exploit on LedgerSMB systems generally.

* SQL Injection (CVE-2009-3582)

This affects all production versions, and does not affect 1.3 prerelease versions at all. The contact management module depends on table information submitted by the user and this is not properly sanitized. A user could perform arbitrary database commands including deleting or inserting data into arbitrary tables.

A hotfix has been released but has not been fully regression tested. To obtain the hotfix please email chris@metatrontech.com or download the latest version of the following file from svn (branches/1.2): LedgerSMB/CT.pm

In SQL-Ledger (and in LedgerSMB prior to 1.2.0), this injection can be used to delete an arbitrary set of rows from any table containing an id field. In LedgerSMB 1.2.x, the vulnerability is more limited. While arbitrary tables can be selected, one is limited to deleting one row at a time by the id field. Also in 1.2.0, only the delete function is believed to be exploitable while the update function might be as well in past versions.

* Local File Include (CVE-2009-3583)

This affects versions of LedgerSMB prior to 1.2.0. If you are using a version prior to 1.2.0, please upgrade.

* Default Administrator Password Weakness (CVE-2009-4402)

This affects versions of LedgerSMB prior to 1.2.0. If you are using a version prior to 1.2.0, there are many critical fixes you are missing out on. If you absolutely cannot upgrade, Please make sure the administrator password has been properly set.

* Secure flag not set on cookie (CVE-2009-3584).

This affects all versions of LedgerSMB. The effect is that a session cookie, which could be used to grant access to the system, could be hijacked. The risk on LedgerSMB is less than on SQL-Ledger because we require serial requests in 1.2, and the cookie is not sufficient to gain access to anything in 1.3. In essence, on an unpatched system, an individual would have to guess the request number and and send it along. While the range here is limited, it does take some extra work and adds some complexity to the attack.

In a patched system, the secure flag is set only when using HTTPS to access LedgerSMB. However, an incorrect guess as to the request number deletes the user session and requests a password from the user.

To obtain the hotfix either email me at the address mentioned above or download the most recent file from svn (branches/1.2): LedgerSMB/Session/DB.pm.

Sincerely,
Chris Travers

Update: LedgerSMB 1.3 provides an anti-XSRF framework which is designed to prevent this sort of attack, as well as duplicate submissions. Users are advised to upgrade to the 1.3 series as soon as they can, given the complexity of the upgrade.