On Fri, Jan 29, 2010 at 12:42 AM, John Bell <[email protected]> wrote:
> There's a good description of this type of attack at
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> Joomla! also has a good mechanism for passing a token with each request
> that eliminates this type of attack. But I echo Chris' comments that this
> type of attack is theoretically possible, but unlikely.
>
Just to be clear, I didn't say it was unlikely. I think it poses some
issues that need to be solved. I just don't think it is likely to be used
as a way of covering a lot of theft by the time we get it solved. Also it
is unlikely to be useful against a large portion of the users of the
software simply because many users only have one person with access (the
business owner).
However, as LedgerSMB ends up being used by larger businesses, the
incentives to embezzle money go up and holes like this become larger
problems. A hole like this undermines the basic accounting processes which
are in place to prevent this sort of behavior and so it needs to be fixed.
The issue is that the complexity of the attack reduces the immediate (but
not really the long-term) danger of the exploit.
Hope this helps,
Chirs Travers
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Ledger-smb-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
