Test ID:	1.3.6.1.4.1.25623.1.0.57729
Category:	FreeBSD Local Security Checks
Title:	FreeBSD Ports: sql-ledger
Summary:	The remote host is missing an update to the system; as announced in the referenced advisory.
Description:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: sql-ledger CVE-2006-4244 SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value. CVE-2006-4731 Multiple directory traversal vulnerabilities in (1) login.pl and (2) admin.pl in (a) SQL-Ledger before 2.6.19 and (b) LedgerSMB before 1.0.0p1 allow remote attackers to execute arbitrary Perl code via an unspecified terminal parameter value containing ../ (dot dot slash). Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-4244 BugTraq ID: 19758 http://www.securityfocus.com/bid/19758 Bugtraq: 20060830 SQL-Ledger serious security vulnerability and workaround (Google Search) http://www.securityfocus.com/archive/1/444741/100/0/threaded Bugtraq: 20060907 Full Disclosure for SQL-Ledger vulnerability CVE-2006-4244 (Google Search) http://www.securityfocus.com/archive/1/445512 http://secunia.com/advisories/21689 http://securityreason.com/securityalert/1472 XForce ISS Database: sql-ledger-session-unauth-access(28671) https://exchange.xforce.ibmcloud.com/vulnerabilities/28671 Common Vulnerability Exposure (CVE) ID: CVE-2006-4731 BugTraq ID: 19960 http://www.securityfocus.com/bid/19960 Bugtraq: 20060912 LedgerSMB 1.0.0 and SQL-Ledger 2.6.18 and earler arbitrary code execution (Google Search) http://www.securityfocus.com/archive/1/445817/100/0/threaded http://svn.sourceforge.net/viewvc/ledger-smb/trunk/login.pl?r1=53&r2=69 http://secunia.com/advisories/21824 http://secunia.com/advisories/21886 http://securityreason.com/securityalert/1553 http://www.vupen.com/english/advisories/2006/3554 http://www.vupen.com/english/advisories/2006/3555 XForce ISS Database: sqlledger-ledgersmb-terminal-file-include(28885) https://exchange.xforce.ibmcloud.com/vulnerabilities/28885 Common Vulnerability Exposure (CVE) ID: CVE-2006-5872 BugTraq ID: 21634 http://www.securityfocus.com/bid/21634 Bugtraq: 20070127 Full Disclosure: Arbitrary Code Execution in LedgerSMB CVE-2006-5872 (Google Search) http://www.securityfocus.com/archive/1/458300/100/0/threaded Debian Security Information: DSA-1239 (Google Search) http://www.debian.org/security/2006/dsa-1239 http://securitytracker.com/id?1017391 http://secunia.com/advisories/23375 http://secunia.com/advisories/23419 http://www.vupen.com/english/advisories/2006/5043 http://www.vupen.com/english/advisories/2007/0407
Copyright	Copyright (C) 2008 E-Soft Inc.

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.