You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(20) |
Aug
(21) |
Sep
(12) |
Oct
(2) |
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(3) |
Feb
(46) |
Mar
(65) |
Apr
(49) |
May
(33) |
Jun
(5) |
Jul
(79) |
Aug
(228) |
Sep
(347) |
Oct
(272) |
Nov
(270) |
Dec
(424) |
2005 |
Jan
(549) |
Feb
(232) |
Mar
(134) |
Apr
(103) |
May
(57) |
Jun
(74) |
Jul
(67) |
Aug
(45) |
Sep
(99) |
Oct
(187) |
Nov
(238) |
Dec
(127) |
2006 |
Jan
(81) |
Feb
(137) |
Mar
(46) |
Apr
(55) |
May
(62) |
Jun
(152) |
Jul
(137) |
Aug
(154) |
Sep
(176) |
Oct
(104) |
Nov
(65) |
Dec
(64) |
2007 |
Jan
(56) |
Feb
(303) |
Mar
(88) |
Apr
(80) |
May
(72) |
Jun
(20) |
Jul
(47) |
Aug
(28) |
Sep
(113) |
Oct
(49) |
Nov
(89) |
Dec
(24) |
2008 |
Jan
(24) |
Feb
(61) |
Mar
(43) |
Apr
(51) |
May
(12) |
Jun
(10) |
Jul
(49) |
Aug
(26) |
Sep
(7) |
Oct
(50) |
Nov
(19) |
Dec
(15) |
2009 |
Jan
(87) |
Feb
(144) |
Mar
(54) |
Apr
(72) |
May
(32) |
Jun
(23) |
Jul
(27) |
Aug
(90) |
Sep
(349) |
Oct
(174) |
Nov
(320) |
Dec
(110) |
2010 |
Jan
(162) |
Feb
(39) |
Mar
(80) |
Apr
(126) |
May
(45) |
Jun
(44) |
Jul
(75) |
Aug
(32) |
Sep
(100) |
Oct
(57) |
Nov
(49) |
Dec
(125) |
2011 |
Jan
(72) |
Feb
(41) |
Mar
(63) |
Apr
(18) |
May
(123) |
Jun
(100) |
Jul
(96) |
Aug
(84) |
Sep
(83) |
Oct
(39) |
Nov
(166) |
Dec
(103) |
2012 |
Jan
(158) |
Feb
(148) |
Mar
(77) |
Apr
(43) |
May
(126) |
Jun
(82) |
Jul
(67) |
Aug
(28) |
Sep
(109) |
Oct
(30) |
Nov
(23) |
Dec
(34) |
2013 |
Jan
(14) |
Feb
(16) |
Mar
(7) |
Apr
(79) |
May
(76) |
Jun
(13) |
Jul
(76) |
Aug
(36) |
Sep
(22) |
Oct
(35) |
Nov
(167) |
Dec
(93) |
2014 |
Jan
(64) |
Feb
(14) |
Mar
(57) |
Apr
(63) |
May
(60) |
Jun
(15) |
Jul
(24) |
Aug
(19) |
Sep
(56) |
Oct
(70) |
Nov
(45) |
Dec
(52) |
2015 |
Jan
(56) |
Feb
(73) |
Mar
(34) |
Apr
(11) |
May
(24) |
Jun
(19) |
Jul
(11) |
Aug
(8) |
Sep
(25) |
Oct
(22) |
Nov
(38) |
Dec
(7) |
2016 |
Jan
(7) |
Feb
(34) |
Mar
(17) |
Apr
(10) |
May
(17) |
Jun
(7) |
Jul
(17) |
Aug
(31) |
Sep
(3) |
Oct
(34) |
Nov
(5) |
Dec
(2) |
2017 |
Jan
|
Feb
(4) |
Mar
(18) |
Apr
(6) |
May
(10) |
Jun
(13) |
Jul
|
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
(1) |
2018 |
Jan
(2) |
Feb
|
Mar
(3) |
Apr
(10) |
May
(5) |
Jun
|
Jul
(7) |
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
(2) |
2019 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2020 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
(6) |
Aug
(2) |
Sep
(4) |
Oct
|
Nov
|
Dec
(3) |
2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
2022 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
From: <vl...@it...> - 2023-11-25 09:12:35
|
Good day! I try to setup webERP but have some errors: 1) install/index.php (line ~ 1226) System do not chop by ';' sql statements ' SET names UTF8; SET FOREIGN_KEY_CHECKS = 0' } if (mb_strpos($SQLScriptFile[$i],';')>0 AND ! $InAFunction){ // Database created above with correct name. if (strncasecmp($SQL, ' CREATE DATABASE ', 17) AND strncasecmp($SQL, ' USE ', 5)){ $SQL = mb_substr($SQL,0,mb_strlen($SQL)-1); if ($SQL==' SET names UTF8; SET FOREIGN_KEY_CHECKS = 0') { I have modify php file for suppress this error, but I have other error (after uploading default.sql file): 2) Fatal error: Uncaught mysqli_sql_exception: Table 'accountgroups' already exists in /var/www/html/webERP/install/index.php: 1125 Stack trace: #0 /var/www/html/webERP/install/index.php(1125): mysqli_next_result() #1 /var/www/html/webERP/install/index.php(420): PopulateSQLData() #2 {main} thrown in /var/www/html/webERP/install/index.php on line 1125 |
From: Tim S. <tim...@gm...> - 2022-01-25 09:34:12
|
>From here: http://www.weberp.org/forum/showthread.php?tid=9104&pid=17281#pid17281 "Under Utilities/Maintenance you should find an option to "Re-Post all GL transactions from a specified period" Can you run this, starting at the first period in the list. This may take a while depending on how many transactions you have on your system, and all other users should be logged out of the system at the time." Tim On Tue, 25 Jan 2022 at 09:31, Almohafiz Contracting LLC <in...@al...> wrote: > > Dear Team, > > We are using Weberp from so long in our office , we are facing > problems in our ledger accounts in opening and closing balances. For > example if we take any ledger account closing balance of Jan is matching > with opening bal of Feb. can you pls guide us how to overcome this issue, > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers -- www.weberpafrica.com @TimSchofield2 Blog: https://kwamoja.home.blog/ |
From: Almohafiz C. L. <in...@al...> - 2022-01-25 06:57:15
|
Dear Team, We are using Weberp from so long in our office , we are facing problems in our ledger accounts in opening and closing balances. For example if we take any ledger account closing balance of Jan is matching with opening bal of Feb. can you pls guide us how to overcome this issue, |
From: Phesto P. N. <phe...@go...> - 2021-12-15 11:19:40
|
Hello Members We are currently conducting a study that aims to optimise User Experience (UX) in the development processes of Free and Open-source software (FOSS), including Web ERP. This study believes that delivering projects of this nature with desirable UX is an organisational effort. Therefore, precisely comprehending what make FOSS projects with desirable UX, integrating them in the development processes, and optimally assessing these processes are mandatory. UX is still ambiguous and what create several FOSS projects with desirable UX are still unknown. Moreover, although these projects offer immense contributions, they are not widely adopted, and UX is recurring as the significant cause of ongoing adoptions misfortune. The FOSS community has not done enough to address these challenges. Therefore, to dig deeper into this problem, we have developed a questionnaire with several UX influencing factors seeking FOSS stakeholders' perceptions. The developed questionnaire provides evidence rather than opinions when capturing insights into how stakeholders in the FOSS community perceive UX influencing factors. Furthermore, it is the derivative of several psychometric scales, such as AttrakDiff, VisAWI, SUS, UEQ, meCUE, and reviewed literature. We kindly request that the network feel free and offer candid feedback by completing the appraisal in the link shown below. https://forms.gle/rzLcEwj3LpPkci3p7 -- | Phesto P Namayal | P.O. Box 40673 | Dar es Salaam. Tanzania | |email: pna...@mu... |website: http://www.mustnet.ac.tz |
From: PaulT <tur...@gm...> - 2021-12-02 04:00:56
|
## Release Highlights The highlights of this release are listed below. For a full list of changes included in this release, please refer to [CHANGELOG.md]( https://github.com/webERP-team/webERP/blob/master/doc/CHANGELOG.md). ### Added - PDFPriceList.php: Alternating row shading. - New theme improvements, plus more rtl support (Thanks to Juergen Mueller) - StockUsageGraph.php: Show zero counts within period. (with a new system parameter to use this feature) - New Finnish Translation (Thanks to Pekka Viiliainen) ### Fixed - Bug in sanitising routing - Errors with Z_DeleteCreditNote.php - Update getRptLinks() handling - Dashboard: sales person invoices were divulged to other sales people when a customer with multiple branches with different sales people attached. - MRP shortages incorrectly includes "Service/Labour" items. (Thanks to Alan Miller) ### Changed - Update Español locale (Thanks to Rafael Chacón) - Add https protocol with geocode urls, and missing key parameter. (Thanks to JanB) - Removed get_magic_quotes_gpc() - Counter Sales UX improvements and other handling. (Thanks to Express Achiever) ### Security - Fix LFI vulnerability. (Thanks to Si...@ly...) - Fix several other reported vulnerabilities. (Thanks to Mario Riederer) - Forms: Apply htmlspecialchars() or urlencode() to parameters as needed. ### Other For those interested in [webSHOP](https://github.com/webERP-team/webSHOP) (a shopping cart application integrated to webERP) can be download from there, and details for use are available at the webSHOP link. Though webSHOP was initially bundled with webERP starting with v4.15 in the zip file provided to sourceforge users, it will be removed with the next v5 for being of low use (if any) to most users, and is available as a separate project whenever needed. ## Contributors Contributors to this release (in alphabetical order): - Alan Miller - Confucius - Express Achiever - HDeriauFF - JanB - Juergen Mueller - Mario Riederer - PaulT - Pekka Viiliainen - Phil Daintree - Rafael Chacón - Si...@ly... - Tim Schofield |
From: Tim S. <tim...@gm...> - 2021-05-10 19:30:52
|
Obrigado Gilberto :) On Mon, 10 May 2021, 18:08 gilberto dos santos alves, <gs...@gm...> wrote: > great. best regards. > > Em seg, 10 de mai de 2021 06:17, Tim Schofield < > tim...@gm...> > escreveu: > > > A while ago a colleague reworked the themes on our code that our > > customers use. I like the look that he has achieved, and he has > > copied them over onto the webERP code. I tried posting screenshots of > > how it looks, but the mailing lists won't take the attachments. > > > > Juergen has setup a demo on one of our servers so you can view how it > > looks at https://weberp.kwamoja.org user/password is admin/weberp > > > > Tim > > > > > > -- > > www.weberpafrica.com > > @TimSchofield2 > > Blog: https://kwamoja.home.blog/ > > > > > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: gilberto d. s. a. <gs...@gm...> - 2021-05-10 17:08:12
|
great. best regards. Em seg, 10 de mai de 2021 06:17, Tim Schofield <tim...@gm...> escreveu: > A while ago a colleague reworked the themes on our code that our > customers use. I like the look that he has achieved, and he has > copied them over onto the webERP code. I tried posting screenshots of > how it looks, but the mailing lists won't take the attachments. > > Juergen has setup a demo on one of our servers so you can view how it > looks at https://weberp.kwamoja.org user/password is admin/weberp > > Tim > > > -- > www.weberpafrica.com > @TimSchofield2 > Blog: https://kwamoja.home.blog/ > > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Tim S. <tim...@gm...> - 2021-05-10 09:17:10
|
A while ago a colleague reworked the themes on our code that our customers use. I like the look that he has achieved, and he has copied them over onto the webERP code. I tried posting screenshots of how it looks, but the mailing lists won't take the attachments. Juergen has setup a demo on one of our servers so you can view how it looks at https://weberp.kwamoja.org user/password is admin/weberp Tim -- www.weberpafrica.com @TimSchofield2 Blog: https://kwamoja.home.blog/ |
From: Phil D. <ph...@lo...> - 2020-12-21 06:30:17
|
Look great :-) I wonder how much of the changes are hard coded language? I had it set to UK English and I still had a mass of chinese characters on the screen.... probably because the data is all Chinese? If it could be brought into webERP that would be really fantastic!! Phil Daintree 0275 567890 On 21/12/20 6:36 pm, Rafael Chacón wrote: > It is very cool. Nice!!! > > Le dim. 20 déc. 2020 à 21:44, Exson Qu <hex...@gm...> a écrit : > >> *Dear all, * >> >> Long time no see. How have you been? >> A Chinese developer has developed webERP with a new interface by >> vue. You can find the demo here: >> Dashboard-ERP管理系统 (ybtyny.com) >> <http://api.ybtyny.com:3004/vuetest/#/index> >> It is very cool in the mobile device. >> Shall we add it to webERP? Or any other idea? >> Thanks and regards! >> Exson >> >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
From: Rafael C. <raf...@gm...> - 2020-12-21 05:37:23
|
It is very cool. Nice!!! Le dim. 20 déc. 2020 à 21:44, Exson Qu <hex...@gm...> a écrit : > *Dear all, * > > Long time no see. How have you been? > A Chinese developer has developed webERP with a new interface by > vue. You can find the demo here: > Dashboard-ERP管理系统 (ybtyny.com) > <http://api.ybtyny.com:3004/vuetest/#/index> > It is very cool in the mobile device. > Shall we add it to webERP? Or any other idea? > Thanks and regards! > Exson > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Exson Qu <hex...@gm...> - 2020-12-21 03:44:06
|
*Dear all, * Long time no see. How have you been? A Chinese developer has developed webERP with a new interface by vue. You can find the demo here: Dashboard-ERP管理系统 (ybtyny.com) <http://api.ybtyny.com:3004/vuetest/#/index> It is very cool in the mobile device. Shall we add it to webERP? Or any other idea? Thanks and regards! Exson |
From: Dale S. <dal...@sh...> - 2020-09-13 17:43:45
|
Thanks Gilberto. I have always found the WebERP community to be very supportive. ----- Original Message ----- > From: "Gilberto Dos Santos Alves" <gs...@gm...> > To: "web-erp-developers" <web...@li...> > Sent: Sunday, September 13, 2020 9:51:07 AM > Subject: Re: [WebERP-developers] Potential consulting work to upgrade circa 2010 site > hi. if you have questions or doubts please post here and we are happy for > directions, remarks, explanations for weberp. > |
From: gilberto d. s. a. <gs...@gm...> - 2020-09-13 15:51:37
|
hi. if you have questions or doubts please post here and we are happy for directions, remarks, explanations for weberp. Em sex, 11 de set de 2020 00:13, Dale Scott <dal...@sh...> escreveu: > Hello all, I was contacted by someone using a WebERP snapshot cira 2010 > (you may have even have heard from them yourself...). Their > sysadmin/support person in HK announced they would be unable to continue > support next year. Just out of curiosity, is it likely a vanilla "2010" > database will update cleanly using the upgrade scripts only? > > Also, since I doubt I'm the best person for the job, what is the best way > for a "user" to obtain commercial technical support? Is anyone making a > business out of providing support services? > > So far I've only asked questions to better understand the scope, but would > like to understand possible options (one could be to just post an ad here > themselves). On the other hand, perhaps there is value to having a > go-between person to translate business-speak to developer-speak (and a big > enough pie everyone is satisfied with their slice). > > Cheers, > Dale > > --- > Dale Scott > Engineer | CTO | NPI | Coach > Email: da...@da... > Web: [ http://www.dalescott.net/ | www.dalescott.net ] > > > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Wayne M. <way...@gm...> - 2020-09-11 04:23:21
|
I can guarantee it won't upgrade cleanly. I had to upgrade from 3.04 to 3.1? (3.15) There were several issues that I had to fix manually. On 11 Sep 2020, 15:13, at 15:13, Dale Scott <dal...@sh...> wrote: >Hello all, I was contacted by someone using a WebERP snapshot cira 2010 >(you may have even have heard from them yourself...). Their >sysadmin/support person in HK announced they would be unable to >continue support next year. Just out of curiosity, is it likely a >vanilla "2010" database will update cleanly using the upgrade scripts >only? > >Also, since I doubt I'm the best person for the job, what is the best >way for a "user" to obtain commercial technical support? Is anyone >making a business out of providing support services? > >So far I've only asked questions to better understand the scope, but >would like to understand possible options (one could be to just post an >ad here themselves). On the other hand, perhaps there is value to >having a go-between person to translate business-speak to >developer-speak (and a big enough pie everyone is satisfied with their >slice). > >Cheers, >Dale > >--- >Dale Scott >Engineer | CTO | NPI | Coach >Email: da...@da... >Web: [ http://www.dalescott.net/ | www.dalescott.net ] > > > >_______________________________________________ >Web-erp-developers mailing list >Web...@li... >https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
From: Dale S. <dal...@sh...> - 2020-09-11 03:12:50
|
Hello all, I was contacted by someone using a WebERP snapshot cira 2010 (you may have even have heard from them yourself...). Their sysadmin/support person in HK announced they would be unable to continue support next year. Just out of curiosity, is it likely a vanilla "2010" database will update cleanly using the upgrade scripts only? Also, since I doubt I'm the best person for the job, what is the best way for a "user" to obtain commercial technical support? Is anyone making a business out of providing support services? So far I've only asked questions to better understand the scope, but would like to understand possible options (one could be to just post an ad here themselves). On the other hand, perhaps there is value to having a go-between person to translate business-speak to developer-speak (and a big enough pie everyone is satisfied with their slice). Cheers, Dale --- Dale Scott Engineer | CTO | NPI | Coach Email: da...@da... Web: [ http://www.dalescott.net/ | www.dalescott.net ] |
From: Phil D. <ph...@lo...> - 2020-08-05 03:50:02
|
Or could we just chop off the script stuff and forward to the appropriate URL quietly... //check for XSS if(strpos($_SERVER['REQUEST_URI'],'/%22%3E%3C')) { //if so chop of the XSS code and just return the appropriate URL header('Location: ' . 'http' . (($_SERVER['SERVER_PORT'] == 443) ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['REQUEST_URI'],0,strpos($_SERVER['REQUEST_URI'],'/%22%3E%3C'))); } Phil Daintree 0275 567890 On 5/08/20 1:39 pm, Phil Daintree wrote: > What about adding some parsing of the URI ... > > if(strpos($_SERVER['REQUEST_URI'],'%3C') AND > strpos($_SERVER['REQUEST_URI'],'%3E')) { > $Title = _('Cross Site Scripting Error Report'); > include ('includes/header.php'); > prnMsg(_('This page was called using an incorrectly formed URL > - a potential CSS attack has been blocked'), 'error'); > include ('includes/footer.php'); > exit; > } > > > This looks for %3C i.e. the "<" character and the %3E the ">" > character in the URI and blocks any further processing if these are > found in the URI. > The output doesn't look great but nobbles this attack - what else > though would break - those characters - well both in the same URI are > surely OK to prohibit? > > Any thoughts? > > Phil > > -------- Forwarded Message -------- > Subject: Re: [WebERP-developers] Fwd: Aw: Vulnerabilities in webERP > Date: Tue, 4 Aug 2020 13:00:37 +0100 > From: Tim Schofield <tim...@gm...> > To: Paul Thursby <pth...@gm...>, Phil Daintree > <ph...@lo...>, Rafael Emilio Chacon > <raf...@gm...>, ExsonQu <hex...@gm...>, > Gilberto Dos Santos Alves <gs...@gm...> > > > > Has anything been done regarding this? If so what? > > Thanks > Tim > > On Sat, 25 Jul 2020 at 11:34, Tim Schofield > <tim...@gm...> wrote: >> This can be avoided using nginx with the following added to the conf >> file: >> >> location / { >> try_files $uri $uri/ =404; >> } >> >> as can be seen here >> https://weberp.kwamoja.org/ImportBankTrans.php/"><script>alert("XSS")</script>> >> >> (note the user/password combination is admin/kwamoja) >> >> Not sure what is needed in apache. >> >> >> On Sat, 25 Jul 2020 at 06:54, Phil Daintree <ph...@lo...> >> wrote: >>> There is $_GET sanitation in includes/session.php but using this >>> syntax to send the parameter containing the script defeats our >>> sanitation sadly >>> >>> Phil >>> Phil Daintree >>> +64 (0)275 567 890 >>> >>>> On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote: >>>> >>>> Dear all, >>>> I checked these cases yesterday. and following is the >>>> summary: >>>> 1. GET x-site attack cannot be sanitized by current code >>>> because there is no $_GET set up. We should enhance the code to >>>> parse the >>>> uri. >>>> 2. The POST injection is a little special since there >>>> is no Var >>>> validation in the script mentioned-- GLCashFlowsIndirect.php. It is >>>> easy to fix by adding validation. >>>> >>>> We feedback more as I find a solution for x-site attack. >>>> Best regards! >>>> Exson >>>> >>>> >>>> >>>>> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree >>>>> <ph...@lo...> wrote: >>>>> >>>>> Gents, >>>>> >>>>> This looks like it is sent as GET parameter but is not captured by >>>>> our >>>>> session cleansing routine? >>>>> >>>>> Anyone any ideas? >>>>> >>>>> Phil >>>>> -------- Forwarded Message -------- >>>>> Subject: Aw: Vulnerabilities in webERP >>>>> Date: Sat, 18 Jul 2020 10:51:14 +0200 >>>>> From: Mario Riederer <Mar...@gm...> >>>>> To: Phil Daintree <ph...@lo...> >>>>> >>>>> >>>>> >>>>> Hello Phil, >>>>> thanks for your reply :) >>>>> I found 2 Cross Site Scripting and 2 SQL Injections in the software. >>>>> You can find an explanation of the vulnerabilities in the Attachment. >>>>> Please let me know if you need further help. >>>>> Best regards, >>>>> Mario >>>>> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr >>>>> *Von:* "Phil Daintree" <ph...@lo...> >>>>> *An:* mar...@gm..., "in...@we..." <in...@we...> >>>>> *Betreff:* Vulnerabilities in webERP >>>>> Hi Mario, >>>>> >>>>> Further to your message to me at Logic Works ... if you could >>>>> expand on >>>>> the vulnerabilities please so we can fix. >>>>> >>>>> Many thanks >>>>> >>>>> Phil >>>>> >>>>> -- >>>>> Phil Daintree >>>>> 0275 567890 >>>>> _______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>> >>>> >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >>> >>> >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> >> >> -- >> www.weberpafrica.com >> @TimSchofield2 >> Blog: https://kwamoja.home.blog/ > > > |
From: Phil D. <ph...@lo...> - 2020-08-05 01:39:57
|
What about adding some parsing of the URI ... if(strpos($_SERVER['REQUEST_URI'],'%3C') AND strpos($_SERVER['REQUEST_URI'],'%3E')) { $Title = _('Cross Site Scripting Error Report'); include ('includes/header.php'); prnMsg(_('This page was called using an incorrectly formed URL - a potential CSS attack has been blocked'), 'error'); include ('includes/footer.php'); exit; } This looks for %3C i.e. the "<" character and the %3E the ">" character in the URI and blocks any further processing if these are found in the URI. The output doesn't look great but nobbles this attack - what else though would break - those characters - well both in the same URI are surely OK to prohibit? Any thoughts? Phil -------- Forwarded Message -------- Subject: Re: [WebERP-developers] Fwd: Aw: Vulnerabilities in webERP Date: Tue, 4 Aug 2020 13:00:37 +0100 From: Tim Schofield <tim...@gm...> To: Paul Thursby <pth...@gm...>, Phil Daintree <ph...@lo...>, Rafael Emilio Chacon <raf...@gm...>, ExsonQu <hex...@gm...>, Gilberto Dos Santos Alves <gs...@gm...> Has anything been done regarding this? If so what? Thanks Tim On Sat, 25 Jul 2020 at 11:34, Tim Schofield <tim...@gm...> wrote: > This can be avoided using nginx with the following added to the conf file: > > location / { > try_files $uri $uri/ =404; > } > > as can be seen here > https://weberp.kwamoja.org/ImportBankTrans.php/"><script>alert("XSS")</script>> > (note the user/password combination is admin/kwamoja) > > Not sure what is needed in apache. > > > On Sat, 25 Jul 2020 at 06:54, Phil Daintree <ph...@lo...> wrote: >> There is $_GET sanitation in includes/session.php but using this syntax to send the parameter containing the script defeats our sanitation sadly >> >> Phil >> Phil Daintree >> +64 (0)275 567 890 >> >>> On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote: >>> >>> Dear all, >>> I checked these cases yesterday. and following is the summary: >>> 1. GET x-site attack cannot be sanitized by current code >>> because there is no $_GET set up. We should enhance the code to parse the >>> uri. >>> 2. The POST injection is a little special since there is no Var >>> validation in the script mentioned-- GLCashFlowsIndirect.php. It is >>> easy to fix by adding validation. >>> >>> We feedback more as I find a solution for x-site attack. >>> Best regards! >>> Exson >>> >>> >>> >>>> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote: >>>> >>>> Gents, >>>> >>>> This looks like it is sent as GET parameter but is not captured by our >>>> session cleansing routine? >>>> >>>> Anyone any ideas? >>>> >>>> Phil >>>> -------- Forwarded Message -------- >>>> Subject: Aw: Vulnerabilities in webERP >>>> Date: Sat, 18 Jul 2020 10:51:14 +0200 >>>> From: Mario Riederer <Mar...@gm...> >>>> To: Phil Daintree <ph...@lo...> >>>> >>>> >>>> >>>> Hello Phil, >>>> thanks for your reply :) >>>> I found 2 Cross Site Scripting and 2 SQL Injections in the software. >>>> You can find an explanation of the vulnerabilities in the Attachment. >>>> Please let me know if you need further help. >>>> Best regards, >>>> Mario >>>> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr >>>> *Von:* "Phil Daintree" <ph...@lo...> >>>> *An:* mar...@gm..., "in...@we..." <in...@we...> >>>> *Betreff:* Vulnerabilities in webERP >>>> Hi Mario, >>>> >>>> Further to your message to me at Logic Works ... if you could expand on >>>> the vulnerabilities please so we can fix. >>>> >>>> Many thanks >>>> >>>> Phil >>>> >>>> -- >>>> Phil Daintree >>>> 0275 567890 >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> >>> >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> >> >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > -- > www.weberpafrica.com > @TimSchofield2 > Blog: https://kwamoja.home.blog/ -- www.weberpafrica.com @TimSchofield2 Blog: https://kwamoja.home.blog/ |
From: Phil D. <ph...@lo...> - 2020-07-25 05:53:34
|
There is $_GET sanitation in includes/session.php but using this syntax to send the parameter containing the script defeats our sanitation sadly 😢 Phil Phil Daintree +64 (0)275 567 890 > On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote: > > Dear all, > I checked these cases yesterday. and following is the summary: > 1. GET x-site attack cannot be sanitized by current code > because there is no $_GET set up. We should enhance the code to parse the > uri. > 2. The POST injection is a little special since there is no Var > validation in the script mentioned-- GLCashFlowsIndirect.php. It is > easy to fix by adding validation. > > We feedback more as I find a solution for x-site attack. > Best regards! > Exson > > > >> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote: >> >> Gents, >> >> This looks like it is sent as GET parameter but is not captured by our >> session cleansing routine? >> >> Anyone any ideas? >> >> Phil >> -------- Forwarded Message -------- >> Subject: Aw: Vulnerabilities in webERP >> Date: Sat, 18 Jul 2020 10:51:14 +0200 >> From: Mario Riederer <Mar...@gm...> >> To: Phil Daintree <ph...@lo...> >> >> >> >> Hello Phil, >> thanks for your reply :) >> I found 2 Cross Site Scripting and 2 SQL Injections in the software. >> You can find an explanation of the vulnerabilities in the Attachment. >> Please let me know if you need further help. >> Best regards, >> Mario >> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr >> *Von:* "Phil Daintree" <ph...@lo...> >> *An:* mar...@gm..., "in...@we..." <in...@we...> >> *Betreff:* Vulnerabilities in webERP >> Hi Mario, >> >> Further to your message to me at Logic Works ... if you could expand on >> the vulnerabilities please so we can fix. >> >> Many thanks >> >> Phil >> >> -- >> Phil Daintree >> 0275 567890 >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
From: Exson Qu <hex...@gm...> - 2020-07-23 00:32:48
|
Dear all, I checked these cases yesterday. and following is the summary: 1. GET x-site attack cannot be sanitized by current code because there is no $_GET set up. We should enhance the code to parse the uri. 2. The POST injection is a little special since there is no Var validation in the script mentioned-- GLCashFlowsIndirect.php. It is easy to fix by adding validation. We feedback more as I find a solution for x-site attack. Best regards! Exson On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote: > Gents, > > This looks like it is sent as GET parameter but is not captured by our > session cleansing routine? > > Anyone any ideas? > > Phil > -------- Forwarded Message -------- > Subject: Aw: Vulnerabilities in webERP > Date: Sat, 18 Jul 2020 10:51:14 +0200 > From: Mario Riederer <Mar...@gm...> > To: Phil Daintree <ph...@lo...> > > > > Hello Phil, > thanks for your reply :) > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > You can find an explanation of the vulnerabilities in the Attachment. > Please let me know if you need further help. > Best regards, > Mario > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > *Von:* "Phil Daintree" <ph...@lo...> > *An:* mar...@gm..., "in...@we..." <in...@we...> > *Betreff:* Vulnerabilities in webERP > Hi Mario, > > Further to your message to me at Logic Works ... if you could expand on > the vulnerabilities please so we can fix. > > Many thanks > > Phil > > -- > Phil Daintree > 0275 567890 > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: gilberto d. s. a. <gs...@gm...> - 2020-07-22 18:50:08
|
hi. reading and soon we return. thanks. -- gilberto dos santos alves +5511986465049 Em ter., 21 de jul. de 2020 às 22:39, Phil Daintree <ph...@lo...> escreveu: > Gents, > > This looks like it is sent as GET parameter but is not captured by our > session cleansing routine? > > Anyone any ideas? > > Phil > -------- Forwarded Message -------- > Subject: Aw: Vulnerabilities in webERP > Date: Sat, 18 Jul 2020 10:51:14 +0200 > From: Mario Riederer <Mar...@gm...> > To: Phil Daintree <ph...@lo...> > > > > Hello Phil, > thanks for your reply :) > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > You can find an explanation of the vulnerabilities in the Attachment. > Please let me know if you need further help. > Best regards, > Mario > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > *Von:* "Phil Daintree" <ph...@lo...> > *An:* mar...@gm..., "in...@we..." <in...@we...> > *Betreff:* Vulnerabilities in webERP > Hi Mario, > > Further to your message to me at Logic Works ... if you could expand on > the vulnerabilities please so we can fix. > > Many thanks > > Phil > > -- > Phil Daintree > 0275 567890 > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Rafael C. <raf...@gm...> - 2020-07-22 16:04:40
|
I will check also this week end. Regards, Le mar. 21 juil. 2020 à 20:20, Paul T. <pth...@gm...> a écrit : > I'll have to check, might not be until the weekend, though. > > On Tue, Jul 21, 2020, 21:39 Phil Daintree <ph...@lo...> wrote: > > > Gents, > > > > This looks like it is sent as GET parameter but is not captured by our > > session cleansing routine? > > > > Anyone any ideas? > > > > Phil > > -------- Forwarded Message -------- > > Subject: Aw: Vulnerabilities in webERP > > Date: Sat, 18 Jul 2020 10:51:14 +0200 > > From: Mario Riederer <Mar...@gm...> > > To: Phil Daintree <ph...@lo...> > > > > > > > > Hello Phil, > > thanks for your reply :) > > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > > You can find an explanation of the vulnerabilities in the Attachment. > > Please let me know if you need further help. > > Best regards, > > Mario > > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > > *Von:* "Phil Daintree" <ph...@lo...> > > *An:* mar...@gm..., "in...@we..." <in...@we...> > > *Betreff:* Vulnerabilities in webERP > > Hi Mario, > > > > Further to your message to me at Logic Works ... if you could expand on > > the vulnerabilities please so we can fix. > > > > Many thanks > > > > Phil > > > > -- > > Phil Daintree > > 0275 567890 > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Paul T. <pth...@gm...> - 2020-07-22 02:20:28
|
I'll have to check, might not be until the weekend, though. On Tue, Jul 21, 2020, 21:39 Phil Daintree <ph...@lo...> wrote: > Gents, > > This looks like it is sent as GET parameter but is not captured by our > session cleansing routine? > > Anyone any ideas? > > Phil > -------- Forwarded Message -------- > Subject: Aw: Vulnerabilities in webERP > Date: Sat, 18 Jul 2020 10:51:14 +0200 > From: Mario Riederer <Mar...@gm...> > To: Phil Daintree <ph...@lo...> > > > > Hello Phil, > thanks for your reply :) > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > You can find an explanation of the vulnerabilities in the Attachment. > Please let me know if you need further help. > Best regards, > Mario > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > *Von:* "Phil Daintree" <ph...@lo...> > *An:* mar...@gm..., "in...@we..." <in...@we...> > *Betreff:* Vulnerabilities in webERP > Hi Mario, > > Further to your message to me at Logic Works ... if you could expand on > the vulnerabilities please so we can fix. > > Many thanks > > Phil > > -- > Phil Daintree > 0275 567890 > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Phil D. <ph...@lo...> - 2020-07-22 01:38:35
|
Gents, This looks like it is sent as GET parameter but is not captured by our session cleansing routine? Anyone any ideas? Phil -------- Forwarded Message -------- Subject: Aw: Vulnerabilities in webERP Date: Sat, 18 Jul 2020 10:51:14 +0200 From: Mario Riederer <Mar...@gm...> To: Phil Daintree <ph...@lo...> Hello Phil, thanks for your reply :) I found 2 Cross Site Scripting and 2 SQL Injections in the software. You can find an explanation of the vulnerabilities in the Attachment. Please let me know if you need further help. Best regards, Mario *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr *Von:* "Phil Daintree" <ph...@lo...> *An:* mar...@gm..., "in...@we..." <in...@we...> *Betreff:* Vulnerabilities in webERP Hi Mario, Further to your message to me at Logic Works ... if you could expand on the vulnerabilities please so we can fix. Many thanks Phil -- Phil Daintree 0275 567890 |
From: Kaija T. <kai...@gm...> - 2020-04-24 19:24:37
|
Hello, My name is Thomas. I'm part of a team that uses webERP for various projects. Did you get help with the ledger balance issue you were experiencing. Regards, Thomas On Sun, 19 Apr 2020, 11:21 Irshad shaad, <irs...@gm...> wrote: > Dear Technical Team, > Warm Greetings. > We are using the ERP for Accounts. We are facing a problem in our ledgers. > If we check the balance for the current month, it does not match with the > statement > provided by the bank, while if we check the balance by selecting two years > back date > then it becomes equal as per Bank statement. > Can you please help me regarding this? How we can solve this problem? > > Waiting for your kind and prompt response regarding this matter. > > > Thanks and regards, > M. Irshad > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
From: Irshad s. <irs...@gm...> - 2020-04-19 08:20:43
|
Dear Technical Team, Warm Greetings. We are using the ERP for Accounts. We are facing a problem in our ledgers. If we check the balance for the current month, it does not match with the statement provided by the bank, while if we check the balance by selecting two years back date then it becomes equal as per Bank statement. Can you please help me regarding this? How we can solve this problem? Waiting for your kind and prompt response regarding this matter. Thanks and regards, M. Irshad |