One thing not noted in the security advisory or the full disclosure email is that there are mitigating features which can be used in vulnerable programs (SQL-Ledger, unpatched LedgerSMB) to mitigate, though not eliminate, the risk of XSRF. Current versions of SQL-Ledger and LedgerSMB have a session time out option which can be set either by the administrator or by the user. The session timeout value provides a window during which XSRF attacks can happen. In environments where this is a risk (for example, not including closed networks of POS terminals), this session timeout can be set low enough to make the attacks impractical. Since XSRF remains a possibility in less critical areas of the software in LedgerSMB 1.2, it is advised that administrators take advantage of this measure as well. I would generally recommend that SQL-Ledger users set the timeout low, perhaps to a value between 30 and 120. The value refers to the timeout in seconds, so this would require a new password after any short break. Properly configured XSRF doesn't have to be a major problem with either of these packages. However, properly configuring it poses some significant burdens on employees so the proper value should be determined by each customer. The current default value (3600) which sets the default value to one hour is way to high though. This issue will be documented as an issue in future versions of LedgerSMB. Best Wishes, Chris Travers
