LedgerSMB 1.3.0-1.3.27 security advisories

Submitted by hasorli on

The following is a security advisory for LedgerSMB 1.3.x. It includes information on vulnerable versions, and how to mitigate problems. While the security issues discovered here are minor in most cases, they can have significant impacts for some users in some environments.

Versions vulnerable 1.3.0 through 1.3.27
Severity Low in most environments, medium to high where users must share terminals
Fix Availability From vendor, workarounds available as well
First Fixed In 1.3.28
Issues discussed
  1. Administrative Password Reset/expiration Ineffective
  2. Credentials not cleared on some browsers
Impact
  1. Administrators may mistakenly believe that users have been securely locked out of the system
  2. Users sharing computer terminals may be able to access the application using each other's credentials

Issue 1 (Administrators may mistakenly believe that users have been securely locked out of the system)

The first is not an security vulnerability per se, but it acts as a vector for security problems because an administrator may mistakenly believe that the password has been reset for a user when in fact this is not the case. Administrative passwords expire after 24 hours (after which time the user is unable to log in with any password), and thus also provide a way of effectively locking users out of the system. Because this may be used to lock users out of the system, this poses significant security concerns, and therefore it allows vulnerabilities to be created, contrary to administrative usage of the software, in the ordinary course of the administration of the software. This is heavily mitigated by the fact that audit trails cannot be accessed or deleted by most users.

A patch is available for this issue. If anyone needs it, email Chris Travers (chris@metatrontech.com) for details.

Workaround

Expire/disable/reset passwords from psql or other database-level interface. Do not use the web application in this context for versions prior to 1.3.28.

Credit

This issue was discovered by Chris Travers, following up on an unrelated issue reported by Pongracz Istvan.

Issue 2 (Users sharing computer terminals may be able to access the application using each other's credentials)

The second issue is that LedgerSMB, in versions prior to 1.3.28, would only seek to clear cached HTTP credentials for Internet Explorer and Firefox users. Users of other browsers would find that their credentials were simply not cleared until the browser window would be fully closed, even if the browser supported clearing using the methods provided. It is true that some browsers do not clear credentials of this sort in any case, but even where the existing methods would have worked they were not run. The issue (in UI/logout/firefox.js) was that we were simply checking if it was Firefox or Internet Explorer, and excluding all other browsers.

Attack Scenario

User 1 works a point of sale terminal using Midori as a web browser. User 1 is about to finish his shift and locks his terminal. user 2 steals $100 out of the till and waits.... When user 1 logs out, user two clicks the back button, and enters a transaction accounting for the missing $100, thus hiding the theft.

Patch availability

A fix for this is available and will be included in LedgerSMB 1.3.28. If anyone needs it before then, please email Chris Travers (chris@metatrontech.com) for details.

Workaround

For shared terminal environments please use Internet explorer (8+) or Firefox, or close all windows after logging out.

Credit

Credit goes to Pongracz Istvan for discovering and reporting this problem.