Hello,
A dangerous vulnerability which allows non-authenticated users to access system-level Windows, has been discovered in WebUI and the fix is also included.
It is strongly recommended that you patch your installation even if you don't use WebUI.
You can read more technical details about this vulnerability at http://sourceforge.net/tracker/index.php?func=detail&aid=1745703&group_id=176962&atid=879332
The fix is provided as a JAR archive file.
To patch your installation please extract the archive. We will call the root directory of archive PATCH_HOME.
Then follow the below commands. (Make sure JAVA_HOME/bin is in your path.)
Linux, Unix, Mac and Solaris users
====================================
$ cd $ADEMPIERE_HOME
$ jar uvf lib/adempiereApps.jar -C $PATCH_HOME org/compiere/www/WFilter.class
$ jar uvf lib/adempiereApps.war -C $PATCH_HOME WEB-INF/web.xml
$ ./RUN_setup.sh
\> cd %ADEMPIERE_HOME%
\> jar uvf lib/adempiereApps.jar -C %PATCH_HOME% org/compiere/www/WFilter.class
\> jar uvf lib/adempiereApps.war -C %PATCH_HOME% WEB-INF/web.xml
\> RUN_setup.bar
Warm regards,
Bahman
The fix as a JAR archive file
Corrected directory problems in the patch.
Logged In: YES
user_id=1418900
Originator: YES
Hello,
This new patch is the same as the last one and only fixes a directory problem which caused patching to be difficult; therefore those who have applied the last patch _do not_ need to apply this patch.
Warm regards,
Bahman
File Added: patch-security-system_window_access-070701.jar
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).