| VID |
210045 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The LedgerSMB or SQL-Ledger is vulnerable to a directory traversal vulnerability via the am.pl script. LedgerSMB or SQL-Ledger are a web-based double-entry accounting system, written in Perl. LedgerSMB and SQL-Ledger could allow a remote, unauthenticated attacker to traverse directories on the system, caused by improper validation of user-supplied input passed to the 'file' parameter of the 'am.pl' script. A remote attacker could exploit this vulnerability to traverse directories and read arbitrary files on the affected host.
* References:
http://www.securityfocus.com/archive/1/461630/30/0/threaded
http://sourceforge.net/mailarchive/forum.php?thread_id=31341304&forum_id=50269
http://secunia.com/advisories/24366/
* Platforms Affected:
DWS Systems Inc., SQL-Ledger 2.x
Open Source Technology Group, LedgerSMB versions prior to 1.1.5
Any operating system Any version |
| Recommendation |
For SQL-Ledger:
Upgrade to the latest version (2.6.26 or later), available from the SQL-Ledger Web site at http://www.sql-ledger.org/
For LedgerSMB:
Upgrade to the latest version (1.1.5 or later), available from the SourceForge.net Web site at http://sourceforge.net/projects/ledger-smb/
For other distributions:
Contact your vendor for patch or upgrade information. |
| Related URL |
(CVE) |
| Related URL |
22769 (SecurityFocus) |
| Related URL |
(ISS) |
|
