DoS and code execution issue in LedgerSMB < 1.1.5 and SQL-Ledger < 2.6.25

From: Chris Travers <chris@xxxxxxxxxxxxxxxx>
Date: Mon, 05 Mar 2007 11:43:36 -0800

Hi;

A person on the LedgerSMB core team has found a serious arbitrary code execution issue in LedgerSMB prior to 1.1.5 and SQL-Ledger. A version of SQL-Ledger which fixes this vulnerability was released today (version 2.6.25).

The vulnerability allows a user to specify a custom function to run when the software encounters an error. The software further assumes that the error function specified never returns. For this reason, it is possible to cause the software to take alternate paths of execution, and to force these paths. This is particularly dangerous for users with valid logins.

For those which do not have valid login credentials, the problem more limited but still quite dangerous. Using this method it is possible to overwrite files in the users directory, thus affecting a DoS attack and possible authentication bypass.

The DoS attacks can be done by any user not currently logged in, and can force the writing of a nologin file (which will lock users out of the system) or overwrite the users/members file (which contains users' credentials info and settings) with invalid data. This attack can be done with wget, for example.

All SQL-Ledger users are advised to upgrade to the latest version, and all LedgerSMB users using versions prior to 1.1.5 should upgrade as well.

Best Wishes,
Chris Travers
begin:vcard
fn:Chris Travers
n:Travers;Chris
email;internet:chris@xxxxxxxxxxxxxxxx
tel;work:509-888-0220
tel;cell:509-630-7794
x-mozilla-html:FALSE
version:2.1
end:vcard

Prev by Date: Wordpress <= v2.1.0
Next by Date: CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability
Previous by thread: Wordpress <= v2.1.0
Next by thread: CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Full disclosure: Directory Transversal and Arbitrary Code Execution Vulnerability in SQL-Ledger
... Another security issue has been found in LedgerSMB < 1.1.5 and all versions of SQL-Ledger which allows an attacker to engage in directory transversal, retrieval of sensitive information, user account fabrication, or even arbitrary code execution. ... The stripping of such "dangerous" elements involves first stripping the $userpath and then the $memberfile and then opening the file that remains. ... You can also retrieve the memberfile by using the path of file=useuserusers/memberssrs/members. ...
(Bugtraq)
Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB
... We have discovered yet another major security issue in both SQL-Ledger and LedgerSMB. ... The problem exists because the login input variable is not properly checked, and the software runs a perl script derived from the login name. ... In LedgerSMB, an additional check is made against a session table, which will cause the script to go no further, but in SQL-Ledger, this can also result in authentication bypass. ... The initial security fix offers little safety: authentication bypass and arbitrary code execution are still largely possible though perhaps not at the same time. ...
(Bugtraq)
ACLS ineffective in SQL-Ledger and LedgerSMB
... LedgerSMB is also affected but the problem has been mentioned in our documentation since the fork. ... Ordinarily I would not make a big deal out of this (since we are already clear about why we suggest using db accounts for security), but I feel that DWS is misrepresenting the security of SQL-Ledger and I think people need to be aware of the risk. ... The access control lists associated with users in SQL-Ledger and LedgerSMB do nothing more than enable or disable menu items. ...
(Bugtraq)
LedgerSMB 1.0.0 and SQL-Ledger 2.6.18 and earler arbitrary code execution
... A directory transversal issue was found in LedgerSMB 1.0.0 involving the terminal variable. ... This vulnerability was inherited from the SQL-Ledger codebase. ... Due to the fact that SQL-Ledger has a built-in text editor, this issue could result in arbitrary code execution on the server. ... The SQL-Ledger and LedgerSMB teams have both released patches to these vulnerabilities. ...
(Bugtraq)
LedgerSMB 1.2.0 finally released, fixes CVE-2006-5589
... completing a comprehensive SQL injection audit of the code inherited from SQL-Ledger. ... Those who maintain security advisory lists should list CVE-2006-5589 as now officially closed for LedgerSMB, though it is likely to remain open for SQL-Ledger. ... Chris Travers ...
(Bugtraq)