SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
BID:22828
Info
SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
| Bugtraq ID: | 22828 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-0667 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 05 2007 12:00AM |
| Updated: | Mar 06 2007 06:45PM |
| Credit: | The vendor disclosed this vulnerability. |
| Vulnerable: |
SQL-Ledger SQL-Ledger 2.6.21 SQL-Ledger SQL-Ledger 2.6.19 SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 SQL-Ledger SQL-Ledger 2.4.7 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 p1 LedgerSMB LedgerSMB 1.0 |
| Not Vulnerable: |
SQL-Ledger SQL-Ledger 2.6.25 LedgerSMB LedgerSMB 1.1.5 |
Discussion
SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
SQL-Ledger/LedgerSMB products are prone to vulnerability that lets remote attackers execute arbitrary code.
Remote attackers could exploit this issue to execute arbitrary code in the context of the affected application. This could lead to the compromise of a vulnerable system.
SQL-Ledger versions prior to 2.6.25 and LedgerSMB versions prior to 1.1.5 are vulnerable.
SQL-Ledger/LedgerSMB products are prone to vulnerability that lets remote attackers execute arbitrary code.
Remote attackers could exploit this issue to execute arbitrary code in the context of the affected application. This could lead to the compromise of a vulnerable system.
SQL-Ledger versions prior to 2.6.25 and LedgerSMB versions prior to 1.1.5 are vulnerable.
Exploit / POC
SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
Solution:
The vendor released updated versions of LedgerSMB and SQL-Ledger to address this issue. Please see the references for more information.
SQL-Ledger SQL-Ledger 2.4.7
SQL-Ledger SQL-Ledger 2.6.17
SQL-Ledger SQL-Ledger 2.6.18
SQL-Ledger SQL-Ledger 2.6.19
SQL-Ledger SQL-Ledger 2.6.21
Solution:
The vendor released updated versions of LedgerSMB and SQL-Ledger to address this issue. Please see the references for more information.
SQL-Ledger SQL-Ledger 2.4.7
-
SQL-Ledger sql-ledger-2.6.25.tar.gz
http://internap.dl.sourceforge.net/sourceforge/sql-ledger/sql-ledger-2 .6.25.tar.gz
SQL-Ledger SQL-Ledger 2.6.17
-
SQL-Ledger sql-ledger-2.6.25.tar.gz
http://internap.dl.sourceforge.net/sourceforge/sql-ledger/sql-ledger-2 .6.25.tar.gz
SQL-Ledger SQL-Ledger 2.6.18
-
SQL-Ledger sql-ledger-2.6.25.tar.gz
http://internap.dl.sourceforge.net/sourceforge/sql-ledger/sql-ledger-2 .6.25.tar.gz
SQL-Ledger SQL-Ledger 2.6.19
-
SQL-Ledger sql-ledger-2.6.25.tar.gz
http://internap.dl.sourceforge.net/sourceforge/sql-ledger/sql-ledger-2 .6.25.tar.gz
SQL-Ledger SQL-Ledger 2.6.21
-
SQL-Ledger sql-ledger-2.6.25.tar.gz
http://internap.dl.sourceforge.net/sourceforge/sql-ledger/sql-ledger-2 .6.25.tar.gz
References
SQL-Ledger/LedgerSMB Remote Code Execution Vulnerability
References:
References:
- SQL-Ledger Web Site (SQL-Ledger)
- [[email protected]: DoS and code execution issue in LedgerSMB <1.1.5 and SQ (Chris Travers