[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LedgerSMB1.0.0p1 released in response to Directory Transversal issue.

Subject: LedgerSMB1.0.0p1 released in response to Directory Transversal issue.
From: "Chris Travers" <..hidden..>
Date: Mon, 11 Sep 2006 19:17:47 -0700

Hi Folks;

Yesterday, we were informed of a directory transversal vulnerability that
we inherited from the SQL-Ledger codebase="" We have corrected this in th=
is
maintenance release=2E We have also contacted Dieter Simader who has also=

patched this issue in his latest release=2E

This vulnerability allows an attacker to run scripts in any directory with=

the same names as the LedgerSMB scripts=2E When combined with the ability=
to
write arbitrary files using the css and template editor, one can execute
arbitrary code on the server=2E

All users are encouraged to upgrade to 1=2E0=2E0pl1 at their earliest
convenience, either with the tarball or the patch=2E

Best Wishes,
Chris Travers

Next by Date: Announcing 1.1.0
Next by thread: Announcing 1.1.0
Index(es):
- Date
- Thread