This script is Copyright (C) 2007-2014 Tenable Network Security, Inc.
The remote FreeBSD host is missing a security-related update.
Chris Travers reports :
George Theall of Tenable Security notified the LedgerSMB core team
today of an authentication bypass vulnerability allowing full access
to the administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x.
The problem is caused by the password checking routine failing to
enforce a password check under certain circumstances. The user can
then create accounts or effect denial of service attacks.
This is not related to any previous CVE.
We have coordinated with the SQL-Ledger vendor and today both of us
released security patches correcting the problem. SQL-Ledger users who
can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users
should upgrade to 1.1.9. Users who cannot upgrade should configure
their web servers to use http authentication for the admin.pl script
in the main root directory.
See also :
Update the affected package.
Risk factor :
Family: FreeBSD Local Security Checks
Nessus Plugin ID: 24838 (freebsd_pkg_8e02441dd39c11dba6da0003476f14d3.nasl)
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now