| VID |
210046 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The LedgerSMB or SQL-Ledger is vulnerable to a authentication bypass vulnerability in the admin.pl script. LedgerSMB or SQL-Ledger are a web-based double-entry accounting system, written in Perl. SQL-Ledger versions prior to 2.6.26 and LedgerSMB versions prior to 1.1.9 could allow a remote attacker to bypass authentication, caused by a vulnerability in the admin.pl script. A remote attacker could exploit this vulnerability to bypass authentication and gain unauthorized access to the administrative interface.
* References:
https://sourceforge.net/project/shownotes.php?release_id=492303&group_id=175965
http://www.sql-ledger.org/cgi-bin/nav.pl?page=news.html&title=What's%20New
http://archives.neohapsis.com/archives/bugtraq/2007-03/0086.html
http://secunia.com/advisories/24467/
http://secunia.com/advisories/24496/
* Platforms Affected:
DWS Systems Inc., SQL-Ledger versions prior to 2.6.26
Open Source Technology Group, LedgerSMB versions prior to 1.1.9
Any operating system Any version |
| Recommendation |
For SQL-Ledger:
Upgrade to the latest version (2.6.26 or later), available from the SQL-Ledger Web site at http://www.sql-ledger.org/
For LedgerSMB:
Upgrade to the latest version (1.1.9 or later), available from the SourceForge.net Web site at http://sourceforge.net/projects/ledger-smb/
For other distributions:
Contact your vendor for patch or upgrade information. |
| Related URL |
CVE-2007-1436 (CVE) |
| Related URL |
22889 (SecurityFocus) |
| Related URL |
32954 (ISS) |
|
