lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Jan 2010 09:59:45 -0800
From: Chris Travers <>
Subject: CVE-2009-3583, confirming problem and adding info

CVE-2009-3583 refers to a security vulnerability in SQL-Ledger (and
presumably some offshoots, including early versions of LedgerSMB)
whereby one can include arbitrary Perl code.

All versions of SQL-Ledger 2.x are presumed vulnerable.  At least my
experience with SQL-Ledger suggests that the relevant code has not
changed significantly since at least 2.2.0.

All versions of LedgerSMB lower than 1.2.0 are vulnerable.  1.2.0 is
the first version that is not vulnerable.

Original full disclosure email at:
by another author.

I have not checked other offshoots.

I am writing because I don't think the original full disclosure email
provided sufficient information as to how this could be typically
exploited in a system with typical installations of SQL-Ledger or
offshoots.  Indeed, when combined with standard functionality of the
software in typical configurations, the vulnerability is relatively
easy to exploit and does not require external upload access.

The problem here is that software allows one to create arbitrarily
named files in the css and templates directories through the template
editor.  Since these files are not checked for sanity (and indeed
directory transversal has been an issue there too, but that is not
necessary to exploit this problem).

Hence if one creates a file myperlscript.css in the css directory
using the file editor that is built in with SQL-Ledger, one can then
execute the Perl code in that file using that vulnerability.
Typically, SQL-Ledger and LedgerSMB installations have these
directories writeable to the web server.  In short, in typical
configurations, the application is vulnerable regardless of other
applications configured on the system.

Early versions of LedgerSMB are vulnerable (but they have many other
security problems too).  However, in 1.2.0 we moved from perl scripts
that set up localization structures to the more standard gettext .po
format.  For this reason country codes are no longer used to execute
arbitrary code.

If anyone is still using LedgerSMB 1.1.x, this is an excellent reason
to upgrade.....

I can confirm this problem for the versions mentioned.

Best Wishes,
Chris Travers

Powered by blists - more mailing lists