SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
BID:22295
Info
SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
| Bugtraq ID: | 22295 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-0667 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 18 2006 12:00AM |
| Updated: | Feb 06 2007 07:28PM |
| Credit: | Chris Travers is credited with the discovery of this vulnerability. |
| Vulnerable: |
SQL-Ledger SQL-Ledger 2.6.21 SQL-Ledger SQL-Ledger 2.6.19 SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 SQL-Ledger SQL-Ledger 2.4.7 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 p1 LedgerSMB LedgerSMB 1.0 |
| Not Vulnerable: |
LedgerSMB LedgerSMB 1.1.5 |
Discussion
SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
SQL-Ledger is prone to an arbitrary code-execution vulnerability.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. This could lead to the compromise of a vulnerable system.
SQL-Ledger 2.6 and prior versions are vulnerable.
SQL-Ledger is prone to an arbitrary code-execution vulnerability.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. This could lead to the compromise of a vulnerable system.
SQL-Ledger 2.6 and prior versions are vulnerable.
Exploit / POC
SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
Attackers can exploit this issue via a web client.
Attackers can exploit this issue via a web client.
Solution / Fix
SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
Solution:
The vendor released an updated version of LedgerSMB to address this issue. Please see the references for more information.
The following unofficial patch is available for SQL-Ledger. Symantec has not tested or verified the integrity of this patch. Users are advised to use caution when applying patches from third-party sources.
diff -C3 -r sql-ledger-orig/SL/Form.pm sql-ledger/SL/Form.pm
*** sql-ledger-orig/SL/Form.pm 2007-02-05 18:20:34.000000000 -0800
--- sql-ledger/SL/Form.pm 2007-02-05 18:23:06.000000000 -0800
***************
*** 311,318 ****
if ($self->{callback}) {
! my ($script, $argv) = split(/\?/, $self->{callback});
! exec ("perl", $script, $argv);
} else {
--- 311,327 ----
if ($self->{callback}) {
! my ($script, $argv) = split(/\?/, $self->{callback});
! foreach (qw/admin.pl login.pl am.pl ap.pl ar.pl bp.pl ca.pl
! cp.pl ct.pl menu.pl gl.pl hr.pl ic.pl ir.pl
! is.pl jc.pl oe.pl pe.pl ps.pl rc.pl rp.pl/) {
! if ($_ =~ /(?:custom_)?$script/) {
! exec ("perl", $script, $argv);
! }
! }
! # $script not in whitelist
! $self->error('Access Denied!')
!
} else {
Solution:
The vendor released an updated version of LedgerSMB to address this issue. Please see the references for more information.
The following unofficial patch is available for SQL-Ledger. Symantec has not tested or verified the integrity of this patch. Users are advised to use caution when applying patches from third-party sources.
diff -C3 -r sql-ledger-orig/SL/Form.pm sql-ledger/SL/Form.pm
*** sql-ledger-orig/SL/Form.pm 2007-02-05 18:20:34.000000000 -0800
--- sql-ledger/SL/Form.pm 2007-02-05 18:23:06.000000000 -0800
***************
*** 311,318 ****
if ($self->{callback}) {
! my ($script, $argv) = split(/\?/, $self->{callback});
! exec ("perl", $script, $argv);
} else {
--- 311,327 ----
if ($self->{callback}) {
! my ($script, $argv) = split(/\?/, $self->{callback});
! foreach (qw/admin.pl login.pl am.pl ap.pl ar.pl bp.pl ca.pl
! cp.pl ct.pl menu.pl gl.pl hr.pl ic.pl ir.pl
! is.pl jc.pl oe.pl pe.pl ps.pl rc.pl rp.pl/) {
! if ($_ =~ /(?:custom_)?$script/) {
! exec ("perl", $script, $argv);
! }
! }
! # $script not in whitelist
! $self->error('Access Denied!')
!
} else {
References
SQL-Ledger Redirect Function Arbitrary Code Execution Vulnerability
References:
References: