Detections
Analytics

SQL-Ledger 'admin.pl' Empty Credentials

high Nessus Plugin ID 43404

Language:

Synopsis

The remote web server is hosting a CGI application that does not require credentials.

Description

The remote web server is hosting SQL-Ledger, a web-based double-entry accounting system.

The installed version does not require credentials to access the administrator interface.

Note that the installed version is potentially affected by several other vulnerabilities, though Nessus has not tested for these.

Solution

Set a strong password for accessing the Administrator interface.

See Also

https://seclists.org/bugtraq/2007/Mar/147

Plugin Details

Severity: High

ID: 43404

File Name: sql_ledger_empty_creds.nasl

Version: 1.12

Type: remote

Family: CGI abuses

Published: 12/23/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Vulnerability Publication Date: 12/21/2009

Reference Information

CVE: CVE-2009-4402

BID: 37431

CWE: 16