[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LedgerSMB1.0.0p1 released in response to Directory Transversal issue.

Hi Folks;

Yesterday, we were informed of a directory transversal vulnerability that
we inherited from the SQL-Ledger codebase="" We have corrected this in th=
maintenance release=2E  We have also contacted Dieter Simader who has also=

patched this issue in his latest release=2E

This vulnerability allows an attacker to run scripts in any directory with=

the same names as the LedgerSMB scripts=2E  When combined with the ability=
write arbitrary files using the css and template editor, one can execute
arbitrary code on the server=2E

All users are encouraged to upgrade to 1=2E0=2E0pl1 at their earliest
convenience, either with the tarball or the patch=2E

Best Wishes,
Chris Travers