[WebERP-developers] Important: Serious security issue

[Phil D. <ph...@lo...>]

An important heads up - a serious hole has been discovered - my fault 
sorry everyone... the script

GLTrialBalance_csv.php

should be removed from your installation immediately.

This script allows anyone to access your general ledger trial balance!

Phil

-------- Original Message --------
Subject: 	Re: Serious security issue
Date: 	Thu, 20 Feb 2014 08:48:21 +0800
From: 	Exson Qu <hex...@gm...>
To: 	Phil Daintree <ph...@lo...>



*Hi, Phil,
*
              Thank you for your prompt reply.

              Yes. A heads up is needed since it's too dangerous for 
those put webERP on internet. Just google the login screen and you'll 
get lots of company's TB via this method.

             Thanks and best regards!

              Exson






2014-02-20 1:25 GMT+08:00 Phil Daintree <ph...@lo... 
<mailto:ph...@lo...>>:

    I see jo has fixed it.
    Perhaps i should publish a heads up.


    On 20 February 2014 12:55:47 AM NZDT, Exson Qu <hex...@gm...
    <mailto:hex...@gm...>> wrote:

        *Hi, Phil,*

                   The affected version is since 4630 which add
        $AllowAnyone Check in session.inc which make the security
        absolutely broken.

                  We can temporary remove the and !$AllowAnyone check in
        line 335. It'll check the formID to block those non-authority
        users. But an authority user still can work this around.

                And same problem lies in scripts:
        RecurringSalesOrdersProcess.php.

                The problem is that system judge a login status by
        $_SESSION['DatabaseName'] has been set or not.
                 And the $AllowAnyone has broken the last formID
        security check.

                 Thank you for your attention!

                Thanks and best regards!

                Exson