SQL-Ledger/LedgerSMB 多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111005 漏洞类型 路径遍历
发布时间 2006-09-12 更新时间 2007-01-25
CVE编号 CVE-2006-4731 CNNVD-ID CNNVD-200609-155
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/28514
https://www.securityfocus.com/bid/19960
https://cxsecurity.com/issue/WLB-2006090081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-155
|漏洞详情
(a)SQL-Ledger2.6.19之前版本和(b)LedgerSMB1.0.0p1之前版本的(1)login.pl和(2)admin.pl中存在多个目录遍历漏洞,远程攻击者可以通过包含../(两点斜杠)的未指定terminal参数值执行任意Perl代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/19960/info

SQL-Ledger and LedgerSMB are prone to a remote directory-traversal vulnerability.

An attacker can exploit this issue to include arbitrary files located on the vulnerable computer in the context of the webserver process. 

The attacker may be able to use the application's built-in text editor to alter a local file and exploit this issue to execute arbitrary code. This may facilitate a compromise of the vulnerable computer.

SQL-Ledger version 2.6.18 and LedgerSMB version 1.0.0 are vulnerable to this issue.

http://www.example.com/path/login.pl?terminal=../css
|受影响的产品
SQL-Ledger SQL-Ledger 2.6.18 SQL-Ledger SQL-Ledger 2.6.17 LedgerSMB LedgerSMB 1.0 Debian Linux 3.1
|参考资料

来源:VUPEN
名称:ADV-2006-3555
链接:http://www.frsirt.com/english/advisories/2006/3555
来源:VUPEN
名称:ADV-2006-3554
链接:http://www.frsirt.com/english/advisories/2006/3554
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?group_id=175965&release_id=446778
来源:SECUNIA
名称:21886
链接:http://secunia.com/advisories/21886
来源:SECUNIA
名称:21824
链接:http://secunia.com/advisories/21824
来源:XF
名称:sqlledger-ledgersmb-terminal-file-include(28885)
链接:http://xforce.iss.net/xforce/xfdb/28885
来源:www.sql-ledger.org
链接:http://www.sql-ledger.org/cgi-bin/nav.pl?page=news.html&title=What%27s%20New
来源:BID
名称:19960
链接:http://www.securityfocus.com/bid/19960
来源:BUGTRAQ
名称:20060912LedgerSMB1.0.0andSQL-Ledger2.6.18andearlerarbitrarycodeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/445817/100/0/threaded
来源:MISC
链接:http://svn.sourceforge.net/viewvc/ledger-smb/trunk/login.pl?r1=53&r2=69
来源:SREASON
名称:1553
链接:http://securityreason.com/securityalert/1553