Test ID:	1.3.6.1.4.1.25623.1.0.57729
Category:	FreeBSD Local Security Checks
Title:	FreeBSD Ports: sql-ledger
Summary:	FreeBSD Ports: sql-ledger
Description:	The remote host is missing an update to the system as announced in the referenced advisory. The following package is affected: sql-ledger CVE-2006-4244 SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value. CVE-2006-4731 Multiple directory traversal vulnerabilities in (1) login.pl and (2) admin.pl in (a) SQL-Ledger before 2.6.19 and (b) LedgerSMB before 1.0.0p1 allow remote attackers to execute arbitrary Perl code via an unspecified terminal parameter value containing ../ (dot dot slash). Solution: Update your system with the appropriate patches or software upgrades. http://www.us.debian.org/security/2006/dsa-1239 http://www.vuxml.org/freebsd/0679deeb-8eaf-11db-abc9-0003476f14d3.html
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-4244 Bugtraq: 20060830 SQL-Ledger serious security vulnerability and workaround (Google Search) http://www.securityfocus.com/archive/1/archive/1/444741/100/0/threaded Bugtraq: 20060907 Full Disclosure for SQL-Ledger vulnerability CVE-2006-4244 (Google Search) http://www.securityfocus.com/archive/1/445512 BugTraq ID: 19758 http://www.securityfocus.com/bid/19758 http://secunia.com/advisories/21689 http://securityreason.com/securityalert/1472 XForce ISS Database: sql-ledger-session-unauth-access(28671) http://xforce.iss.net/xforce/xfdb/28671 Common Vulnerability Exposure (CVE) ID: CVE-2006-4731 Bugtraq: 20060912 LedgerSMB 1.0.0 and SQL-Ledger 2.6.18 and earler arbitrary code execution (Google Search) http://www.securityfocus.com/archive/1/archive/1/445817/100/0/threaded http://svn.sourceforge.net/viewvc/ledger-smb/trunk/login.pl?r1=53&r2=69 BugTraq ID: 19960 http://www.securityfocus.com/bid/19960 http://www.vupen.com/english/advisories/2006/3554 http://www.vupen.com/english/advisories/2006/3555 http://secunia.com/advisories/21824 http://secunia.com/advisories/21886 http://securityreason.com/securityalert/1553 XForce ISS Database: sqlledger-ledgersmb-terminal-file-include(28885) http://xforce.iss.net/xforce/xfdb/28885 Common Vulnerability Exposure (CVE) ID: CVE-2006-5872 Bugtraq: 20070127 Full Disclosure: Arbitrary Code Execution in LedgerSMB CVE-2006-5872 (Google Search) http://www.securityfocus.com/archive/1/archive/1/458300/100/0/threaded Debian Security Information: DSA-1239 (Google Search) http://www.debian.org/security/2006/dsa-1239 BugTraq ID: 21634 http://www.securityfocus.com/bid/21634 http://www.vupen.com/english/advisories/2006/5043 http://www.vupen.com/english/advisories/2007/0407 http://securitytracker.com/id?1017391 http://secunia.com/advisories/23375 http://secunia.com/advisories/23419
Copyright	Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.

New User Registration Email: UserID: Passwd: Please email me your monthly newsletters, informing the latest services, improvements & surveys. Please email me a vulnerability test announcement whenever a new test is added.     Privacy

Registered User Login   UserID:     Passwd:     Forgot userid or passwd? Email/Userid: