George Theall of Tenable Security notified the LedgerSMB
core team today of an authentication bypass vulnerability
allowing full access to the administrator interface of
LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused
by the password checking routine failing to enforce a
password check under certain circumstances. The user
can then create accounts or effect denial of service
attacks.
This is not related to any previous CVE.
We have coordinated with the SQL-Ledger vendor and
today both of us released security patches correcting
the problem. SQL-Ledger users who can upgrade to 2.6.26
should do so, and LedgerSMB 1.1 or 1.0 users should
upgrade to 1.1.9. Users who cannot upgrade should
configure their web servers to use http authentication
for the admin.pl script in the main root directory.