sql-ledger for Debian
---------------------

IMPORTANT SECURITY NOTICE
-------------------------
SQL-Ledger is known to have many vulnerabilities that are exploitable by
someone who has a user account on this web application. That's why you
should *only* use that application if you trust the users that have access
to it.

Historically it also had some vulnerabilities that could be exploited even
without having an account. So we advise to you to put this web
application in an authenticated HTTP zone.

Summary: SQL-Ledger is not suitable for public installations or for
installations with untrusted users.

Some pointers:
http://bugs.debian.org/409703
http://www.securityfocus.com/archive/1/459264
http://www.securityfocus.com/archive/1/445817

Furthermore, Debian doesn't offer official security support for this
package given that the upstream developer almost never acknowledges
security issues and doesn't provide the corresponding fixes.

CONFIGURATION INFORMATION
-------------------------

To test this package you need to add this line to your
apache configuration, either in a virtual host configuration, or in the
global configuration (for example in /etc/apache2/conf.d/sql-ledger.conf):
 include /etc/sql-ledger/sql-ledger-httpd.conf

You also have to add some users to your postgres DB

The easiest way to test this package is to add a postgres-users with
the name of www-data. This however will mean that every apache process
will be able to authenticate to your DB.

To make a more robust security scheme, please read your postgres
documentation, but for now, do, as root, a

 su - postgres
 createuser -d www-data

Answer "n" to the question "Shall the new user be allowed to create
more new users?"

To finally test this, point your browser at
http://localhost/sql-ledger/admin.pl to create the DB and the initial
user, and afterwards: http://localhost/sql-ledger/login.pl to log in.

 -- Finn-Arne Johansen <faj@bzz.no>, Sun,  March 21, 2004 15:41:25 +0100