lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45F10C1E.9080806@metatrontech.com>
Date: Thu, 08 Mar 2007 23:26:22 -0800
From: Chris Travers <chris@...atrontech.com>
To: bugtraq@...urityfocus.com
Subject: Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes
 released today)

Hi all;

George Theall of Tenable Security notified the LedgerSMB core team today 
of an authentication bypass vulnerability allowing full access to the 
administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x.  The 
problem is caused by the password checking routine failing to enforce a 
password check under certain circumstances.  The user can then create 
accounts or effect denial of service attacks.

This is not related to any previous CVE.

We have coordinated with the SQL-Ledger vendor and today both of us 
released security patches correcting the problem.  SQL-Ledger users who 
can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users 
should upgrade to 1.1.9.  Users who cannot upgrade should configure 
their web servers to use http authentication for the admin.pl script in 
the main root directory.

Best Wishes,
Chris Travers

View attachment "chris.vcf" of type "text/x-vcard" (172 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ