sql-ledger for Debian --------------------- IMPORTANT SECURITY NOTICE ------------------------- SQL-Ledger is known to have many vulnerabilities that are exploitable by someone who has a user account on this web application. That's why you should *only* use that application if you trust the users that have access to it. Historically it also had some vulnerabilities that could be exploited even without having an account. So we advise to you to put this web application in an authenticated HTTP zone. Summary: SQL-Ledger is not suitable for public installations or for installations with untrusted users. Some pointers: http://bugs.debian.org/409703 http://www.securityfocus.com/archive/1/459264 http://www.securityfocus.com/archive/1/445817 Furthermore, Debian doesn't offer official security support for this package given that the upstream developer almost never acknowledges security issues and doesn't provide the corresponding fixes. CONFIGURATION INFORMATION ------------------------- To test this package you need to add this line to your apache configuration, either in a virtual host configuration, or in the global configuration (for example in /etc/apache2/conf.d/sql-ledger.conf): include /etc/sql-ledger/sql-ledger-httpd.conf You also have to add some users to your postgres DB The easiest way to test this package is to add a postgres-users with the name of www-data. This however will mean that every apache process will be able to authenticate to your DB. To make a more robust security scheme, please read your postgres documentation, but for now, do, as root, a su - postgres createuser -d www-data Answer "n" to the question "Shall the new user be allowed to create more new users?" To finally test this, point your browser at http://localhost/sql-ledger/admin.pl to create the DB and the initial user, and afterwards: http://localhost/sql-ledger/login.pl to log in. -- Finn-Arne Johansen , Sun, March 21, 2004 15:41:25 +0100