[Secure-testing-team] sql-ledger in testing

Chris Travers chris at metatrontech.com
Mon Oct 22 22:41:46 UTC 2007 

Thijs Kinkhors wrote:
 >I'd like to see some real-world cases where this could be exploited 
before we
 > start to remove things for which no adequate substitute is packaged yet.

I don't think people understand what the danger is.  Basically an 
accounting application is something which tracks, manages, and often 
even provides access to your company's money.  This is not monopoly 
money; it is the real thing.

With access to an accounting application, an individual can create false 
invoices and print false checks in order to embezzle money from an 
organization.  In an ideal environment, these things can be tracked and 
audited, so you have a great deal of confidence that you know who 
printed every check, you know who entered every invoice, etc.  However, 
if the security of the system is compromised, you have the ability to 
tamper with these audit trails, allowing an individual to effectively 
cover up embezzlement activities.  While this is somewhat easier where 
petty cash is concerned (as there is no independent record beyond 
internal voucher slips), it is not entirely out of the question with 
checking accounts and the like.

In short such security issues allow people to steal your money.  Ths is 
not unheard of in small to midsize businesses which is usually why 
either owners do most of the bookkeeping themselves or you have a strict 
separation of duties.  In short no business of any size can afford to 
trust the bookkeepers in the way you suggest.

Part of the problem is that we are not talking about a typical IT 
security scenario here.  These sorts of attacks are generally done by 
people who know what they are looking for, and are using it to hide 
evidence of theft.  It is also a big deal when you have to know that 
your books are accurage (for example during a tax audit or due to 
Sarbanes-Oxley, or equivalent,  compliance requirements).

As I said in my previous email, you should make your decisions based on 
facts.  If the software is not maintained regarding security, it is your 
decision whether to distribute it or not.  But you should be aware of 
the real-world risks of doing so:

1)  SQL injection issues in SQL-Ledger are numerous, obvious, and easy 
to exploit to alter audit trails, change financial records, or the 
like.  We, in the LedgerSMB project, are *still* finding these several 
months after we thought we converted everything to parameterized forms

2)  SQL-Ledger only pretends to have a real authorization framework.  
THe "Access Control" section actually merely customizes the menu.  It 
does not provide any effective security.

Best Wishes,
Chris Travers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chris.vcf
Type: text/x-vcard
Size: 171 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071022/80e1432e/attachment.vcf

More information about the Secure-testing-team mailing list