[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LedgerSMB1.0.0p1 released in response to Directory Transversal issue.
- Subject: LedgerSMB1.0.0p1 released in response to Directory Transversal issue.
- From: "Chris Travers" <..hidden..>
- Date: Mon, 11 Sep 2006 19:17:47 -0700
Yesterday, we were informed of a directory transversal vulnerability that
we inherited from the SQL-Ledger codebase="" We have corrected this in th=
maintenance release=2E We have also contacted Dieter Simader who has also=
patched this issue in his latest release=2E
This vulnerability allows an attacker to run scripts in any directory with=
the same names as the LedgerSMB scripts=2E When combined with the ability=
write arbitrary files using the css and template editor, one can execute
arbitrary code on the server=2E
All users are encouraged to upgrade to 1=2E0=2E0pl1 at their earliest
convenience, either with the tarball or the patch=2E