[UNIX] DoS and Code Execution Issue in LedgerSMB

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



DoS and Code Execution Issue in LedgerSMB
------------------------------------------------------------------------


SUMMARY

A person on the LedgerSMB core team has found a serious arbitrary code
execution issue in LedgerSMB prior to 1.1.5 and SQL-Ledger. A version of
SQL-Ledger which fixes this vulnerability was released today (version
2.6.25).

DETAILS

Vulnerable Systems:
* LedgerSMB versions prior to 1.1.5

Immune Systems:
* LedgerSMB version 1.1.5

The vulnerability allows a user to specify a custom function to run when
the software encounters an error. The software further assumes that the
error function specified never returns. For this reason, it is possible
to cause the software to take alternate paths of execution, and to force
these paths. This is particularly dangerous for users with valid logins.

For those which do not have valid login credentials, the problem more
limited but still quite dangerous. Using this method it is possible to
overwrite files in the users directory, thus affecting a DoS attack and
possible authentication bypass.

The DoS attacks can be done by any user not currently logged in, and can
force the writing of a nologin file (which will lock users out of the
system) or overwrite the users/members file (which contains users'
credentials info and settings) with invalid data. This attack can be done
with wget, for example.

All SQL-Ledger users are advised to upgrade to the latest version, and all
LedgerSMB users using versions prior to 1.1.5 should upgrade as well.


ADDITIONAL INFORMATION

The information has been provided by <mailto:chris@xxxxxxxxxxxxxxxx>
Chris Travers.
The original article can be found at: <http://www.ledgersmb.org/>
http://www.ledgersmb.org/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages