timeout in seconds, so this would require a new password after any
short break.
Properly configured XSRF doesn't have to be a major problem with
either of these packages. However, properly configuring it poses some
significant burdens on employees so the proper value should be
determined by each customer. The current default value (3600) which
sets the default value to one hour is way to high though. This issue
will be documented as an issue in future versions of LedgerSMB.
Best Wishes,
- Stored XSS
In file upload function, parameter filename. No further example will be provided.
- Unauthorized access to files
By changing a URL Parameter (dlcFolderId) to a proper value, it is possible to get access to files the user has no rigths on.
in Addition by guessing values for parameters dlcDocumentId and dlcFileId an unprivileged user is able to download any file stored in the application.
- Unauthorized manipulation of data
By simply enabling deactivated buttons in the server response, an unprivileged user is able to manipulate stored data (document owner, upload user, document state, approval flag)
