SQL-Ledger/LedgerSMB 权限许可和访问控制绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191045 漏洞类型 设计错误
发布时间 2007-04-10 更新时间 2007-04-11
CVE编号 CVE-2007-1923 CNNVD-ID CNNVD-200704-176
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040059
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-176
|漏洞详情
(1)LedgerSMB和(2)DWSSystemsSQL-Ledger通过更改对链接自菜单的URLs的设置,执行访问控制,这使得远程攻击者可以借助直接请求,访问受限的功能。
|漏洞EXP
Hi all;

I have decided to finally send to this list a serious security flaw in 
the design of SQL-Ledger (all versions).  LedgerSMB (all versions) is 
also affected but the problem (with a workaround) has been mentioned in 
our documentation since the fork.  Ordinarily I would not make a big 
deal out of this (since we are already clear about why we suggest using 
db accounts for security), but I feel that DWS is misrepresenting the 
security of SQL-Ledger and I think people need to be aware of the risk.

The access control lists associated with users in SQL-Ledger and 
LedgerSMB do nothing more than enable or disable menu items.  They do 
not, however, actually prevent access to the application in any 
meaningful way.  The reason is that none of the application's functions 
actually check the access control lists before executing.  For this 
reason, anyone can access any other part of the application simply by 
typing the required URL in the address bar (to get a valid url, try 
right-clicking on the data-entry frame and select "Show only this frame" 
in Firefox).

Again, my big issue isn't that this is broken in SQL-Ledger but that the 
author seems content to let people not know that it is broken and that 
there are ways to properly secure it.  The access control feature is 
advertised at 
http://sql-ledger.com/cgi-bin/nav.pl?page=feature/multiuser.html&title=M
ulti-user

As for a workaround, we have always suggested that this feature is 
inadequate for security purposes and that roles need to be isolated into 
separate database accounts (which the application does support).  
However, this process is cumbersome.  The LedgerSMB project intends to 
automate this process properly in 1.3.0 (perhaps six months away).

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris (at) metatrontech (dot) com [email concealed]
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard
|参考资料

来源:BID
名称:23352
链接:http://www.securityfocus.com/bid/23352
来源:BUGTRAQ
名称:20070406ACLSineffectiveinSQL-LedgerandLedgerSMB
链接:http://www.securityfocus.com/archive/1/archive/1/464880/100/0/threaded
来源:OSVDB
名称:38218
链接:http://osvdb.org/38218
来源:OSVDB
名称:38217
链接:http://osvdb.org/38217
来源:XF
名称:sqlledger-acl-weak-security(33494)
链接:http://xforce.iss.net/xforce/xfdb/33494
来源:SREASON
名称:2552
链接:http://securityreason.com/securityalert/2552