Hi all; The LedgerSMB development team has found an SQL injection issue in LedgerSMB 1.2.24. Because this issue stems from our common SQL-Ledger heritage, it affects all versions of LedgerSMB and has been confirmed in SQL-Ledger 2.8.33. We contacted Dieter when we initially discovered this and now three weeks later it is doubtful when this will be fixed on his side (his last communication said it was likely to be at least a few more weeks from present with no committed timeline). It is expected that when SQL-Ledger 2.8.34 is released it will contain a fix for this issue. Versions affected: SQL Ledger, all 2.6 and 2.8 versions, possibly older versions as well. LedgerSMB production versions 1.2.24 and earlier LedgerSMB trunk, SVN revisions up through 3598 Effect: Allows arbitrary SQL commands to be run Login required: Yes Overall impact: In LedgerSMB 1.2 and SQL-Ledger, in typical setups, this allows virtually all data in the database to be tampered with by a successful attacker. Audit trails can be overwritten, transactions entered for fraudulent purposes, etc. This should be seen among these users as a critical fix. For those running LedgerSMB 1.3 snapshots, betas, etc, the vulnerability could allow someone to enter invalid data into the database. However the actual audit trails etc, are generally expected not to be subject to this tampering and the access to the database is much narrower. Remember that security is enforced by the database in 1.3.0 so this does not pose a privilege escalation issue as it would in 1.2.x and below. For this reason this should be seen among these users as a moderately important problem, which should be fixed as soon as possible but isn't as critical as it is on past versions. We have released a fix for this issue. It has not been fully regression tested and therefore we recommend putting it through a little testing before putting it into production. This is the only fix found in 1.2.25-rc1 (vs 1.2.24). For those interested in installing the normal way, please download from https://sourceforge.net/projects/ledger-smb/files/Development%20Snapshots/1.2.25-rc1/ We expect 1.2.25 to hit general release by Monday assuming no problems are found with this fix. Those who are not able to upgrade are welcome to contact me for a patch that contains the fix. Again it should be put through some testing before being put into production, Credit for discovery of the problem goes to Erik Huelsmann. We expect to release a full disclosure email with exploit information in a few weeks, after everyone has a chance to upgrade. The purpose of that email will be to facilitate the development of automated vulnerability tests by security vendors. Thank you for your time, Chris Travers LedgerSMB Core Team