SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
BID:23352
Info
SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
| Bugtraq ID: | 23352 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 06 2007 12:00AM |
| Updated: | Apr 09 2007 09:12PM |
| Credit: | Chris Travers is credited with reporting this issue. |
| Vulnerable: |
SQL-Ledger SQL-Ledger 2.6.26 SQL-Ledger SQL-Ledger 2.6.25 SQL-Ledger SQL-Ledger 2.6.21 SQL-Ledger SQL-Ledger 2.6.19 SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 SQL-Ledger SQL-Ledger 2.4.7 LedgerSMB LedgerSMB 1.2 LedgerSMB LedgerSMB 1.1.9 LedgerSMB LedgerSMB 1.1.8 LedgerSMB LedgerSMB 1.1.5 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.1 LedgerSMB LedgerSMB 1.0 p1 LedgerSMB LedgerSMB 1.0 |
| Not Vulnerable: | |
Discussion
SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
SQL-Ledger/LedgerSMB is prone to an access-restriction vulnerability because it fails to adequately implement ACLs (Acess Control Lists) for SQL database access.
Exploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
All versions of SQL-Ledger and LedgerSMB are prone to this issue.
NOTE: This issue is documented in LedgerSMB documentation.
SQL-Ledger/LedgerSMB is prone to an access-restriction vulnerability because it fails to adequately implement ACLs (Acess Control Lists) for SQL database access.
Exploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
All versions of SQL-Ledger and LedgerSMB are prone to this issue.
NOTE: This issue is documented in LedgerSMB documentation.
Exploit / POC
SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
Attackers can use a browser to exploit this issue.
Attackers can use a browser to exploit this issue.
Solution / Fix
SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
SQL-Ledger/LedgerSMB Insecure User Access Restriction Vulnerability
References:
References:
- LedgerSMB Homepage (LedgerSMB)
- SQL-Ledger Homepage (SQL-Ledger)
- ACLS ineffective in SQL-Ledger and LedgerSMB (Chris Travers)