Test ID:	1.3.6.1.4.1.25623.1.0.57738
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-1239-1)
Summary:	The remote host is missing an update for the Debian 'sql-ledger' package(s) announced via the DSA-1239-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'sql-ledger' package(s) announced via the DSA-1239-1 advisory. Vulnerability Insight: Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-4244 Chris Travers discovered that the session management can be tricked into hijacking existing sessions. CVE-2006-4731 Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code. CVE-2006-5872 It was discovered that missing input sanitising allows execution of arbitrary Perl code. For the stable distribution (sarge) these problems have been fixed in version 2.4.7-2sarge1. For the upcoming stable distribution (etch) these problems have been fixed in version 2.6.21-1. For the unstable distribution (sid) these problems have been fixed in version 2.6.21-1. We recommend that you upgrade your sql-ledger packages. Affected Software/OS: 'sql-ledger' package(s) on Debian 3.1. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2006-4244 BugTraq ID: 19758 http://www.securityfocus.com/bid/19758 Bugtraq: 20060830 SQL-Ledger serious security vulnerability and workaround (Google Search) http://www.securityfocus.com/archive/1/444741/100/0/threaded Bugtraq: 20060907 Full Disclosure for SQL-Ledger vulnerability CVE-2006-4244 (Google Search) http://www.securityfocus.com/archive/1/445512 http://secunia.com/advisories/21689 http://securityreason.com/securityalert/1472 XForce ISS Database: sql-ledger-session-unauth-access(28671) https://exchange.xforce.ibmcloud.com/vulnerabilities/28671 Common Vulnerability Exposure (CVE) ID: CVE-2006-4731 BugTraq ID: 19960 http://www.securityfocus.com/bid/19960 Bugtraq: 20060912 LedgerSMB 1.0.0 and SQL-Ledger 2.6.18 and earler arbitrary code execution (Google Search) http://www.securityfocus.com/archive/1/445817/100/0/threaded http://svn.sourceforge.net/viewvc/ledger-smb/trunk/login.pl?r1=53&r2=69 http://secunia.com/advisories/21824 http://secunia.com/advisories/21886 http://securityreason.com/securityalert/1553 http://www.vupen.com/english/advisories/2006/3554 http://www.vupen.com/english/advisories/2006/3555 XForce ISS Database: sqlledger-ledgersmb-terminal-file-include(28885) https://exchange.xforce.ibmcloud.com/vulnerabilities/28885 Common Vulnerability Exposure (CVE) ID: CVE-2006-5872 BugTraq ID: 21634 http://www.securityfocus.com/bid/21634 Bugtraq: 20070127 Full Disclosure: Arbitrary Code Execution in LedgerSMB CVE-2006-5872 (Google Search) http://www.securityfocus.com/archive/1/458300/100/0/threaded Debian Security Information: DSA-1239 (Google Search) http://www.debian.org/security/2006/dsa-1239 http://securitytracker.com/id?1017391 http://secunia.com/advisories/23375 http://secunia.com/advisories/23419 http://www.vupen.com/english/advisories/2006/5043 http://www.vupen.com/english/advisories/2007/0407
Copyright	Copyright (C) 2008 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.