BID:22889

LedgerSMB Unspecified Password Check Vulnerability

Info

LedgerSMB Unspecified Password Check Vulnerability

Bugtraq ID:	22889
Class:	Access Validation Error
CVE:	CVE-2007-1436
Remote:	Yes
Local:	No
Published:	Mar 09 2007 12:00AM
Updated:	May 12 2015 07:33PM
Credit:	This vulnerability was reported by the vendor.
Vulnerable:	SQL-Ledger SQL-Ledger 2.6.25 SQL-Ledger SQL-Ledger 2.6.21 SQL-Ledger SQL-Ledger 2.6.19 SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 SQL-Ledger SQL-Ledger 2.4.7 LedgerSMB LedgerSMB 1.1.8 LedgerSMB LedgerSMB 1.1.5 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 p1 LedgerSMB LedgerSMB 1.0

Not Vulnerable:	SQL-Ledger SQL-Ledger 2.6.26 LedgerSMB LedgerSMB 1.1.9

Discussion

LedgerSMB Unspecified Password Check Vulnerability

LedgerSMB is prone to an unspecified password-check vulnerability.

The exact nature and impact of this vulnerability are currently unknown. This BID will be updated as more information emerges.

LedgerSMB versions prior to 1.1.9 are vulnerable.

Exploit / POC

LedgerSMB Unspecified Password Check Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

LedgerSMB Unspecified Password Check Vulnerability

Solution:
The vendor has released updates to address this issue. Please see the references for more information.

LedgerSMB LedgerSMB 1.1.8

LedgerSMB Ledger-SMB-1.1.9
http://downloads.sourceforge.net/ledger-smb/ledger-smb-1.1.9.tar.gz?mo dtime=1173374872&big_mirror=0

SQL-Ledger SQL-Ledger 2.4.7

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

SQL-Ledger SQL-Ledger 2.6.17

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

SQL-Ledger SQL-Ledger 2.6.18

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

SQL-Ledger SQL-Ledger 2.6.19

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

SQL-Ledger SQL-Ledger 2.6.21

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

SQL-Ledger SQL-Ledger 2.6.25

SQL-Ledger sql-ledger-2.6.26.tar.gz
http://downloads.sourceforge.net/sql-ledger/sql-ledger-2.6.26.tar.gz

References

LedgerSMB Unspecified Password Check Vulnerability

References:

LedgerSMB Homepage (LedgerSMB)
Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today) (Chris Travers )