• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

SQL-Ledger/LedgerSMB Template Editing File Parameter Directory Traversal Vulnerability

SQL-Ledger and LedgerSMB are prone to a remote directory-traversal vulnerability.

An attacker can exploit this issue to restrieve arbitrary files located on the vulnerable computer in the context of the webserver process.

The attacker may also exploit this issue to overwrite files. This will allow attackers to delete or change passwords, add user accounts, and execute arbitrary PERL script code in the context of the affected application. Other attacks may be also possible.

The following are reported vulnerable to this issue:

- LedgerSMB versions prior to 1.1.5
- All versions of SQL-Ledger