Re: [WebERP-developers] Security vulnerabilities

[Julie S. <jul...@op...>]

Hi

 

Could you please remove my email from this discussion.  I am not a developer
at all, just a general everyday user and don't want to be part of this
discussion.

 

Thanks

 

Julie Saville

 

From: Tim Schofield [mailto:tim...@gm...] 
Sent: Thursday, 13 March 2014 7:57 PM
To: Reg Pro
Cc: Phil Daintree; webERP Developers; Joe Lwe; iced lava; ExsonQu; Pak
Ricard; Rafael Emilio Chacon; aga...@re...; Avinash Ranka;
jul...@op...; ha...@ne...; Gilberto Dos Santos Alves;
buecher; muthu samy; su...@ou...; Heinrich Steuber; Robert
Thomas
Subject: Re: [WebERP-developers] Security vulnerabilities

 

Phil, you say on the nabble forums that you were unaware of the other
scripts where there was potentially a problem, and in that case I apologise
as I was given to believe that you had been informed. However that was all
you needed to say. If it is ok with Exson I can forward you the log of the
chat we had and you can see the issues that came up.

Blocking the accounts of people who bring up security concerns is a sure way
of generating FUD as it convinces people that you are trying to cover
something up. It's always better to be up front and honest Phil.

Tim

 

On 13 March 2014 07:30, Tim Schofield <tim...@gm...> wrote:

As far as I am aware I have never done anything to consciously hurt webERP.
Of course I may have made some mistakes but so have all of us, we are all
human.

I have never consciously said anything untrue about Phil, or the project.

I don't give a damn about admin access, if Phil wants his name up in lights
then that is fine by me.

All I am saying here is that it is the best interests of the project if I be
given access to the forums to help users by passing on some of the knowledge
I have gained over the years with webERP. Removing my access and removing
some of the advice I have previously given is just daft.

If I have hurt Phil's feelings by asking about the security vulnerability
then I hereby publicly apologise. Can we move on from this silliness please?

Tim

 

On 12 March 2014 22:54, <reg...@gm...> wrote:

Tim and Phil,
We NEED you both.
Tim: please stop it there. No explanations or reasoning.

Phil, please look at Tim's concerns objectively.

I am not in a position to know how potentially critical an Admin access is
to the project but certainly some minor mods can be done to give Tim access
to a non detrimental access until confidence is rebuilt or security tokens
modified for a super-admin.

Avid Weberpian

Sent from my BlackBerryR device from Digicel

  _____  

From: Tim Schofield <tim...@gm...> 

Date: Wed, 12 Mar 2014 17:58:26 +0000

To: Reg Pro<reg...@gm...>

Cc: Joe Lwe<lw...@gm...>; Phil Daintree<ph...@lo...>; iced
lava<ice...@gm...>; ExsonQu<hex...@gm...>; Pak
Ricard<pak...@gm...>; Rafael Emilio
Chacon<raf...@gm...>; <aga...@re...>; Avinash
Ranka<avi...@gm...>; <jul...@op...>;
<ha...@ne...>; Gilberto Dos Santos Alves<gs...@gm...>;
buecher<bu...@op...>; muthu samy<map...@gm...>;
<su...@ou...>; Heinrich Steuber<mr...@gm...>; Robert
Thomas<rf...@as...>

Subject: Re: [WebERP-developers] Security vulnerabilities

 

Hi, well I thought we had started out after Phil and I spoke on the phone
recently, but somehow Phil took offence to something either me or Exson said
regarding the security vulnerability. I would have thought he would have had
the courtesy to say something to me first, but then he still hasn't had the
courtesy to tell me that he has removed me as an administrator on
sourceforge.

I will admit that in the past I may have tried to wind Phil up, but this has
really taken me by surprise. Exson and I had a private chat about scripts
with $AllowAnyone set, and as a result of that gchat he wrote to Phil
regarding these issues we suspected were still in the code. Yesterday I
wrote a polite note to the forums asking if any progress had been made as it
was some time since Exson wrote. I didn't mention any details of the
potential vulnerability. Suddenly I found that my forum account was blocked,
and several of my posts had randomly been deleted. When I created another
account so that I could carry on giving people help on the forum I find that
advice gets deleted and the accounts blocked.

I am at a loss to explain why my accounts are blocked, I am at a loss to
explain why helpful advice I have given people on the forum is now being
randomly deleted. I did not seek any confrontation and it all seems
completely barmy to me. If anyone can explain then please do.

Tim

 

On 12 March 2014 14:20, <reg...@gm...> wrote:

I second and third Joe's message as both of you are and have been great
leaders in this great erp system.

We, the weberp community have the most to loose with the bickering and we
may even have to choose sides one day.

Please Gentlemen, start over a fresh leaf and leave personalities and
history out.

Russ 

Sent from my BlackBerryR device from Digicel

  _____  

From: Joe Lwe <lw...@gm...> 

Date: Wed, 12 Mar 2014 12:39:34 +0300

To: Tim Schofield<tim...@gm...>

Cc: Phil Daintree<ph...@lo...>; iced lava<ice...@gm...>;
ExsonQu<hex...@gm...>; Pak Ricard<pak...@gm...>; Rafael Emilio
Chacon<raf...@gm...>; <aga...@re...>;
<avi...@gm...>; <jul...@op...>; <ha...@ne...>;
Gilberto Dos Santos Alves<gs...@gm...>; buecher<bu...@op...>;
muthu samy<map...@gm...>; <su...@ou...>; Heinrich
Steuber<mr...@gm...>; Reg Pro<reg...@gm...>; Robert
Thomas<rf...@as...>

Subject: Re: [WebERP-developers] Security vulnerabilities

 

Dear All,

 

Thank you all for your contributions to the project, trust me webERP good.

 

Everyone knows how paramount the issue of systems security is, especially
for hosted installations.

 

webERP can really be made better and better, though divisions(among great
contributors) wont make it possible.

 

My humble request is reconciliation, respect, forget the past and set a
fresh ground for cooperation for the good of the webERP project,
Acquisitions wont help.

 

Best Regards

Joe

 

 

On Wed, Mar 12, 2014 at 11:55 AM, Tim Schofield
<tim...@gm...> wrote:

Phil, I tried to bring up a potential security vulnerability with you
privately, and got a nasty bitter abusive message back.

I tried to bring this up on the forum twice and the messages got deleted and
my accounts got blocked.

This could potentially open up the details of a companies customer and sales
base to a rival company. Trying to censor the messenger is not the right way
to deal with potential vulnerabilities. It may be I am wrong, and it is
harmless. If so lets discuss it like intelligent grown ups rather than
behaving like a playground bully and just attacking the person who brings up
a subject you don't like. This is not the right way to run a project.

If there is a different way of highlighting potential vulnerabilities then
please let me and others know.

Denying webERP users access to my help and advice without explaining to them
why is typically dishonest behaviour from you.

 

Tim



-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418 <tel:%2B256%20%280%29%20312%20314%20418> 
M +256 (0) 752 963 325 <tel:%2B256%20%280%29%20752%20963%20325> 
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/ 

 




-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418 <tel:%2B256%20%280%29%20312%20314%20418> 
M +256 (0) 752 963 325 <tel:%2B256%20%280%29%20752%20963%20325> 
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/ 




-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418 <tel:%2B256%20%280%29%20312%20314%20418> 
M +256 (0) 752 963 325 <tel:%2B256%20%280%29%20752%20963%20325> 
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/ 




-- 
Course View Towers,
Plot 21 Yusuf Lule Road,
Kampala
T   +256 (0) 312 314 418
M +256 (0) 752 963 325
www.weberpafrica.com
Twitter: @TimSchofield2
Blog: http://weberpafrica.blogspot.co.uk/