[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential security issue with LedgerSMB (inherited from SL)

Subject: Re: Potential security issue with LedgerSMB (inherited from SL)
From: "Chris Travers" <..hidden..>
Date: Mon, 11 Sep 2006 10:37:14 -0700

One more thing--

I think this directory transversal vulnerability would be extremely difficult to exploit in most environments because you could only include files with the same names as the SQL-Ledger/LedgerSMB scripts, though in a shared hosting environment (running SQL-Ledger via a hosting provider) there might be some obvious and serious concerns. I think the level of this threat ought to be "moderate."

Also note that this does not require authentication to run, but that doing anything interesting with it (i.e. accessing the database) does.

Best Wishes,
Chris Travers

References:
- Potential security issue with LedgerSMB (inherited from SL)
  - From: Christopher Murtagh
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Richard Patterson
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Christopher Murtagh
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Chris Travers
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Richard Patterson
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Chris Travers
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Christopher Murtagh
- Re: Potential security issue with LedgerSMB (inherited from SL)
  - From: Chris Travers

Prev by Date: Re: Potential security issue with LedgerSMB (inherited from SL)
Next by Date: Re: Potential security issue with LedgerSMB (inherited from SL)
Previous by thread: Re: Potential security issue with LedgerSMB (inherited from SL)
Next by thread: Re: Potential security issue with LedgerSMB (inherited from SL)
Index(es):
- Date
- Thread