Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

LedgerSMB < 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues
From: "Chris Travers" <chris.travers () gmail com>
Date: Tue, 9 Oct 2007 09:31:14 -0700
Severity:  Critical
Effect:  Compromise of FInancial Data, deletion of audit trails,
alteration of system settings, disclosure of confidential information
possible in some setups.
Affected products:  LedgerSMB 1.0.0-1.2.7 , SQL-Ledger 2.x (all versions).

1:  SQL injection issue in invoice quantity field
2:  SQL injection issue in sort field.

Solution to issue on LedgerSMB:  Upgrade to 1.2.8.

Solution to issue on SQL-Ledger:  Unfortunately the maintainer of
SQL-Ledger has declined to fix any of the SQL injection issues we have
sent his way.  Even correcting these, there are many SQL injection
issues in that application.  Our official recommendation for
SQL-Ledger users is to restrict access to database relations to the
least privelege necessary.  While this does not entirely solve the
issues, it does limit the damage considerably.

Best Wishes,
Chris Travers

  By Date           By Thread  

Current thread:
  • LedgerSMB < 1.2.8, SQL-Ledger 2.x Multiple SQL Injection Issues Chris Travers (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]