LedgerSMB/SQL-Ledger am.pl 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112480 漏洞类型 路径遍历
发布时间 2007-03-19 更新时间 2007-04-13
CVE编号 CVE-2007-1540 CNNVD-ID CNNVD-200703-451
漏洞平台 CGI CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/29761
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-451
|漏洞详情
(1)SQL-Ledger2.6.27及之前版本和(2)LedgerSMB1.2.0之前版本的am.pl中存在目录遍历漏洞。远程攻击者可以借助登陆参数中的..序列和拖动的空(%00),运行任意可执行程序和绕过身份认证。
|漏洞EXP
source: http://www.securityfocus.com/bid/23034/info

LedgerSMB/SQL-Ledger are prone to a local file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. SQL-Ledger is also prone to an authentication-bypass vulnerability.

A successful exploit would allow an attacker to view files and execute arbitrary local scripts within the context of the webserver and potentially gain unauthorized access to the affected application.

Note that the authentication-bypass issue affects only SQL-Ledger.

These issues affect LedgerSMB prior to 1.1.10 and SQL-Ledger prior to 2.6.27.

http://www.example.com/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department
|参考资料

来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=494462&group_id=175965
来源:BID
名称:23034
链接:http://www.securityfocus.com/bid/23034
来源:BUGTRAQ
名称:20070318FullDisclosure:ArbitraryexecutionvulnerabilityinSQL-LedgerandLedgerSMB
链接:http://www.securityfocus.com/archive/1/archive/1/463175/100/0/threaded
来源:OSVDB
名称:33624
链接:http://www.osvdb.org/33624
来源:VUPEN
名称:ADV-2007-1025
链接:http://www.frsirt.com/english/advisories/2007/1025
来源:VUPEN
名称:ADV-2007-1024
链接:http://www.frsirt.com/english/advisories/2007/1024
来源:sql-ledger.com
链接:http://sql-ledger.com/cgi-bin/nav.pl?page=news.html&title=What%27s%20New
来源:SECUNIA
名称:24585
链接:http://secunia.com/advisories/24585
来源:SECUNIA
名称:24560
链接:http://secunia.com/advisories/24560