LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
BID:23034
Info
LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
| Bugtraq ID: | 23034 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-1541 CVE-2007-1540 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 19 2007 12:00AM |
| Updated: | Jul 06 2016 02:39PM |
| Credit: | Chris Travers is credited with discovering these vulnerabilities. |
| Vulnerable: |
SQL-Ledger SQL-Ledger 2.6.26 SQL-Ledger SQL-Ledger 2.6.25 SQL-Ledger SQL-Ledger 2.6.21 SQL-Ledger SQL-Ledger 2.6.19 SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 LedgerSMB LedgerSMB 1.1.9 LedgerSMB LedgerSMB 1.1.8 LedgerSMB LedgerSMB 1.1.5 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 p1 LedgerSMB LedgerSMB 1.0 |
| Not Vulnerable: | |
Discussion
LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
LedgerSMB/SQL-Ledger are prone to a local file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. SQL-Ledger is also prone to an authentication-bypass vulnerability.
A successful exploit would allow an attacker to view files and execute arbitrary local scripts within the context of the webserver and potentially gain unauthorized access to the affected application.
Note that the authentication-bypass issue affects only SQL-Ledger.
These issues affect LedgerSMB prior to 1.1.10 and SQL-Ledger prior to 2.6.27.
LedgerSMB/SQL-Ledger are prone to a local file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. SQL-Ledger is also prone to an authentication-bypass vulnerability.
A successful exploit would allow an attacker to view files and execute arbitrary local scripts within the context of the webserver and potentially gain unauthorized access to the affected application.
Note that the authentication-bypass issue affects only SQL-Ledger.
These issues affect LedgerSMB prior to 1.1.10 and SQL-Ledger prior to 2.6.27.
Exploit / POC
LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
Attackers can exploit these issue through a browser.
The following proof-of-concept URI is available:
http://www.example.com/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department
Attackers can exploit these issue through a browser.
The following proof-of-concept URI is available:
http://www.example.com/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department
Solution / Fix
LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
Solution:
Reports indicate that these issues may have been addressed in LedgerSMB 1.1.10 and SQL-Ledger 2.6.67. Symantec has not confirmed this.
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Reports indicate that these issues may have been addressed in LedgerSMB 1.1.10 and SQL-Ledger 2.6.67. Symantec has not confirmed this.
Currently we are not aware of any vendor-supplied patches for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities
References:
References:
- LedgerSMB Homepage (LedgerSMB)
- SQL-Ledger Homepage (SQL-Ledger)
- Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB ([email protected])