More information on CVE-2009-3580

[Chris Travers <chris () metatrontech com>]

One thing not noted in the security advisory or the full disclosure
email is that there are mitigating features which can be used in
vulnerable programs (SQL-Ledger, unpatched LedgerSMB) to mitigate,
though not eliminate, the risk of XSRF.

Current versions of SQL-Ledger and LedgerSMB have a session time out
option which can be set either by the administrator or by the user.
The session timeout value provides a window during which XSRF attacks
can happen.  In environments where this is a risk (for example, not
including closed networks of POS terminals), this session timeout can
be set low enough to make the attacks impractical.

Since XSRF remains a possibility in less critical areas of the
software in LedgerSMB 1.2, it is advised that administrators take
advantage of this measure as well.

I would generally recommend that SQL-Ledger users set the timeout low,
perhaps to a value between 30 and 120.  The value refers to the
timeout in seconds, so this would require a new password after any
short break.

Properly configured XSRF doesn't have to be a major problem with
either of these packages. However, properly configuring it poses some
significant burdens on employees so the proper value should be
determined by each customer.  The current default value (3600) which
sets the default value to one hour is way to high though.  This issue
will be documented as an issue in future versions of LedgerSMB.

Best Wishes,
Chris Travers