Menu
▾
▴
[WebERP-developers] AllowAnyone No Problem
|
From: Phil D. <ph...@lo...> - 2014-03-15 02:00:52
|
It seems that Tim's "critical vulnerability" issue identified relates to the use of $AllowAnyone which circumvents the normal authentication mechanism. These are the scripts where $AllowAnyone is set to true. 1. webERP/GLTrialBalance_csv.php://$AllowAnyone = true; YES - this script was a problem as previously advised when it was first identified. This script should be removed from any webERP installation. 2. webERP/Logout.php:$AllowAnyone=True; /* Allow all users to log off */ It seems reasonable that anyone should be allowed to log off? 3. webERP/RecurringSalesOrdersProcess.php:$AllowAnyone = true; This script can be run by anyone too and it just processes any recurring order templates into orders based on the frequency of recurrence ... you can run this as many times as you like - there is no output and it is intended to be run from cron using wget. 4. webERP/api/api_php.php: $AllowAnyone = true; This allows the api to run - there is separate authentication required. No problem 5. webERP/MailInventoryValuation.php:$AllowAnyone = true; This scripts sends an inventory valuation email to the users defined in the script - no output to anyone externally - no risk to anyone - also intended to be run from cron 6. webERP/MailSalesReport_csv.php:$AllowAnyone = true; This scripts sends an email of a sales report as a csv to the users defined in the script - no output to anyone externally - no risk to anyone - also intended to be run from cron 7. webERP/report_runner.php:$AllowAnyone = true; This script sends an email of a sales report to the users defined in the script - no output to anyone externally - no risk to anyone - also intended to be run from cron 8. webERP/MailSalesReport.php:$AllowAnyone = true; This scripts sends an email of a sales report to the users defined in the script - no output to anyone externally - no risk to anyone - also intended to be run from cron So .... IMHO - none of these last 7 scripts represent a security risk (only the GLTrialBalance_csv.php - already identified). Maybe they present a potential spam risk. I am keen to avoid the propagation of FUD on the mailing lists and forums - hence my perhaps heavy handed moderation. I do particularly watch Tim given his alternative agenda. However, his knowledgeable contributions have been good more recently. Perhaps he didn't look at what these scripts do, he is normally pretty smart. Perhaps I should have given him the benefit of the doubt. Hopefully we have a clear reporting mechanism for reporting issues that people may worry about publicly identifying for fear of exposing other users webERP installations. icedlava's suggestion was that the email - sec...@we... be used and this sends email to Exson, icedlava and myself - so we can have a look privately before alerting the community as necessary. -- Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz |
