[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security Advisory: Multiple SQL injection issues discovered in 1.2.7, patched in 1.2.8
- Subject: Security Advisory: Multiple SQL injection issues discovered in 1.2.7, patched in 1.2.8
- From: "Chris Travers" <..hidden..>
- Date: Wed, 26 Sep 2007 20:45:46 -0700
LedgerSMB 1.2.8 has been released in part in response to multiple SQL
injection issues which were discovered in the 1.2.x codebase. These
occur because input is not properly validated and/or escaped prior to
the creation of database queries. Users of the software are urged to
upgrade as soon as possible.
Mode of attack: These could be exploited through a web browser.
Complexity of attack: Low
Impact: Integrity of financial data could be compromised. This could
be used by a competent inside attacker to hide embezzlement activities
and the like.
Other affected software: SQL-Ledger 2.x (all versions). It is unknown
how many other SQL-Ledger forks are vulnerable.
These vulnerabilities were discovered by the LedgerSMB core team in the
process of routine code audits and fixing bugs reported by users.