Posted by: Anonymous Coward
on November 16, 2006 05:55 AM
It's easy to install and use, is Web-based and secure
I can't imagine how the OSTG folks came up with this conclusion. I've had a look at SQL-Ledger's code, and frankly the security aspect of this software is very troubling.
The code appears to be very disorganized and haphazard, which makes looking for security problems more difficult. Doing a grep for 'exec' and 'system' finds some fun things pretty quickly: In SL/Form.pm (line 314 - version 2.6.19), there is an exec that will execute $script with $args, yet neither are untainted or verified and come directly from user input. SL/AM.pm (line 1535) there is a system call in @args, also with very lax to no checking of input.
There are appear to be numerous vulnerabilities via XSS and sql injection. This combined with the apparent hostility the developer has toward security reports (check the users list archives for evidence of this) makes SQL-Ledger a fairly dangerous product to use. I would strongly recommend that you either consider another application or at the very least keep your installation away from public networks and any potential malicious users (like your staff). To anyone slightly conscious of security, this essentially makes it a non-networkable, single user product.
So, my question to the OSTG editors/writers: What did you do exactly to declare this software secure? I would love to know your methodology.
Learn about Linux
Download Linux
Get Linux help
Secure?
Posted by: Anonymous Coward on November 16, 2006 05:55 AMI can't imagine how the OSTG folks came up with this conclusion. I've had a look at SQL-Ledger's code, and frankly the security aspect of this software is very troubling.
The code appears to be very disorganized and haphazard, which makes looking for security problems more difficult. Doing a grep for 'exec' and 'system' finds some fun things pretty quickly: In SL/Form.pm (line 314 - version 2.6.19), there is an exec that will execute $script with $args, yet neither are untainted or verified and come directly from user input. SL/AM.pm (line 1535) there is a system call in @args, also with very lax to no checking of input.
There are appear to be numerous vulnerabilities via XSS and sql injection. This combined with the apparent hostility the developer has toward security reports (check the users list archives for evidence of this) makes SQL-Ledger a fairly dangerous product to use. I would strongly recommend that you either consider another application or at the very least keep your installation away from public networks and any potential malicious users (like your staff). To anyone slightly conscious of security, this essentially makes it a non-networkable, single user product.
So, my question to the OSTG editors/writers: What did you do exactly to declare this software secure? I would love to know your methodology.
#