Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)
- From: Chris Travers <chris@xxxxxxxxxxxxxxxx>
- Date: Thu, 08 Mar 2007 23:26:22 -0800
George Theall of Tenable Security notified the LedgerSMB core team today of an authentication bypass vulnerability allowing full access to the administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused by the password checking routine failing to enforce a password check under certain circumstances. The user can then create accounts or effect denial of service attacks.
This is not related to any previous CVE.
We have coordinated with the SQL-Ledger vendor and today both of us released security patches correcting the problem. SQL-Ledger users who can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users should upgrade to 1.1.9. Users who cannot upgrade should configure their web servers to use http authentication for the admin.pl script in the main root directory.
- Prev by Date: WordPress XSS under function wp_title()
- Next by Date: [ GLSA 200703-08 ] SeaMonkey: Multiple vulnerabilities
- Previous by thread: WordPress XSS under function wp_title()
- Next by thread: [ GLSA 200703-08 ] SeaMonkey: Multiple vulnerabilities