| VID |
21997 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The LedgerSMB or SQL-Ledger is vulnerable to a command execution vulnerability via the login.pl script. LedgerSMB or SQL-Ledger are a web-based double-entry accounting system, written in Perl. LedgerSMB and SQL-Ledger could allow a remote, unauthenticated attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input passed to the 'script' parameter of the 'login.pl' script. A remote attacker could exploit this vulnerability to execute arbitrary Perl code on the affected host.
* References:
http://www.securityfocus.com/archive/1/458300/30/0/threaded
http://www.frsirt.com/english/advisories/2006/5043
http://www.frsirt.com/english/advisories/2007/0407
http://secunia.com/advisories/23375/
* Platforms Affected:
DWS Systems Inc., SQL-Ledger 2.x
Open Source Technology Group, LedgerSMB versions prior to 1.1.7
Any operating system Any version |
| Recommendation |
For Debian GNU/Linux:
Upgrade to the fixed version of sql-ledger package, as listed in Debian Security Advisory DSA-1239-1 at http://www.us.debian.org/security/2006/dsa-1239
For SQL-Ledger:
Upgrade to the latest version (2.6.21 or later), available from the SQL-Ledger Web site at http://www.sql-ledger.org/
For LedgerSMB:
Upgrade to the latest version (1.1.7 or later), available from the SourceForge.net Web site at http://sourceforge.net/projects/ledger-smb/
For other distributions:
Contact your vendor for patch or upgrade information. |
| Related URL |
CVE-2006-5872 (CVE) |
| Related URL |
21634 (SecurityFocus) |
| Related URL |
30939,32075 (ISS) |
|
