#66 WebUI: Access to system-level windows without authentication

3.2
closed-fixed
Security (2)
9
2008-03-01
2007-06-30
Bahman Movaqar
No

Hello,
A dangerous vulnerability which allows non-authenticated users to access system-level Windows, has been discovered in WebUI and the fix is also included.

It is strongly recommended that you patch your installation even if you don't use WebUI.

You can read more technical details about this vulnerability at http://sourceforge.net/tracker/index.php?func=detail&aid=1745703&group_id=176962&atid=879332

The fix is provided as a JAR archive file.
To patch your installation please extract the archive. We will call the root directory of archive PATCH_HOME.
Then follow the below commands. (Make sure JAVA_HOME/bin is in your path.)
Linux, Unix, Mac and Solaris users
====================================
$ cd $ADEMPIERE_HOME
$ jar uvf lib/adempiereApps.jar -C $PATCH_HOME org/compiere/www/WFilter.class
$ jar uvf lib/adempiereApps.war -C $PATCH_HOME WEB-INF/web.xml
$ ./RUN_setup.sh

Windows users

\> cd %ADEMPIERE_HOME%
\> jar uvf lib/adempiereApps.jar -C %PATCH_HOME% org/compiere/www/WFilter.class
\> jar uvf lib/adempiereApps.war -C %PATCH_HOME% WEB-INF/web.xml
\> RUN_setup.bar

Warm regards,
Bahman

Discussion

  • Bahman Movaqar
    Bahman Movaqar
    2007-07-01

    Logged In: YES
    user_id=1418900
    Originator: YES

    Hello,

    This new patch is the same as the last one and only fixes a directory problem which caused patching to be difficult; therefore those who have applied the last patch _do not_ need to apply this patch.

    Warm regards,
    Bahman
    File Added: patch-security-system_window_access-070701.jar

     
  • Carlos Ruiz
    Carlos Ruiz
    2008-02-15

    • status: open --> pending-fixed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
    • status: pending-fixed --> closed-fixed