web-erp-developers — Discussion on development of webERP

Re: [WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Exson Qu <hex...@gm...>]

Hi, Rafael,

            I've received a fix from webERP Chinese forum for this
problem.  A customer reference is added to ConfirmDispatch_Invoice.php,
unfortunately, the reference is defined at 20 characters length. If your
customer reference defined in DeliveryDetails.php is over than 20 length,
the script will be choked. But there is no error messages out. It is
strange why there is no errors message pop up.
           The fix has been committed to trunk. Please check if it fixed
you problem.
           Thanks and best regards!
           Exson

2018-04-27 8:58 GMT+08:00 Exson Qu <hex...@gm...>:

> *Hi, Rafael, *
>                Thanks for the reply.
>                Have checked the $OrderHearderSQL at line 105? What is the
> result when you run the SQL in mysql client?
>                Is the scenario as  when you push submit button, nothing
> happen?
>                Best regards!
>                Exson
>
> 2018-04-27 1:18 GMT+08:00 Rafael Chacón <raf...@gm...>:
>
>> Hi Exson,
>>
>> Yes, I do. I run upgrade4.14.1-4.14.2.sql without the last line (UPDATE
>> config SET confvalue='4.15' WHERE confname='VersionNumber';).
>>
>> Also, I reviewed the tables. All tables were created; all fields were
>> added.
>>
>> About data inserted in fields:
>> * For those different than `pickreq` and `pickreqdetails`, the information
>> in recorded OK.
>> * For `pickreq` and `pickreqdetails`: fields are empty (I am not sure if
>> that is correct).
>>
>> Regards, Rafael.
>>
>> 2018-04-26 0:14 GMT-06:00 Exson Qu <hex...@gm...>:
>>
>> > *Hi, Rafael,*
>> >
>> >           I've checked the script.
>> >           Did you upgrade your database? The salesorders table has
>> added a
>> > new field internalcomment.
>> >           When the database has not upgraded, it will choke. Otherwise,
>> I
>> > cannot find any problem.
>> >           Best regards!
>> >           Exson
>> >
>> > 2018-04-26 12:25 GMT+08:00 Rafael Chacón <raf...@gm...
>> m>:
>> >
>> > > Hi,
>> > >
>> > > Someone has used the new ConfirmDispatch_Invoice.php? I do, but It
>> does
>> > not
>> > > create an invoice (increases systype number, but remains in the last
>> > > window).
>> > >
>> > > Suggestions to troubleshooting ?
>> > >
>> > > Best regards, Rafael.
>> > > ------------------------------------------------------------
>> > > ------------------
>> > > Check out the vibrant tech community on one of the world's most
>> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> > > _______________________________________________
>> > > Web-erp-developers mailing list
>> > > Web...@li...
>> > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>> > >
>> > ------------------------------------------------------------
>> > ------------------
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> > _______________________________________________
>> > Web-erp-developers mailing list
>> > Web...@li...
>> > https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>> >
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
>

Re: [WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Exson Qu <hex...@gm...>]

*Hi, Rafael, *
               Thanks for the reply.
               Have checked the $OrderHearderSQL at line 105? What is the
result when you run the SQL in mysql client?
               Is the scenario as  when you push submit button, nothing
happen?
               Best regards!
               Exson

2018-04-27 1:18 GMT+08:00 Rafael Chacón <raf...@gm...>:

> Hi Exson,
>
> Yes, I do. I run upgrade4.14.1-4.14.2.sql without the last line (UPDATE
> config SET confvalue='4.15' WHERE confname='VersionNumber';).
>
> Also, I reviewed the tables. All tables were created; all fields were
> added.
>
> About data inserted in fields:
> * For those different than `pickreq` and `pickreqdetails`, the information
> in recorded OK.
> * For `pickreq` and `pickreqdetails`: fields are empty (I am not sure if
> that is correct).
>
> Regards, Rafael.
>
> 2018-04-26 0:14 GMT-06:00 Exson Qu <hex...@gm...>:
>
> > *Hi, Rafael,*
> >
> >           I've checked the script.
> >           Did you upgrade your database? The salesorders table has added
> a
> > new field internalcomment.
> >           When the database has not upgraded, it will choke. Otherwise, I
> > cannot find any problem.
> >           Best regards!
> >           Exson
> >
> > 2018-04-26 12:25 GMT+08:00 Rafael Chacón <raf...@gm...
> >:
> >
> > > Hi,
> > >
> > > Someone has used the new ConfirmDispatch_Invoice.php? I do, but It does
> > not
> > > create an invoice (increases systype number, but remains in the last
> > > window).
> > >
> > > Suggestions to troubleshooting ?
> > >
> > > Best regards, Rafael.
> > > ------------------------------------------------------------
> > > ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Web-erp-developers mailing list
> > > Web...@li...
> > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers
> > >
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Web-erp-developers mailing list
> > Web...@li...
> > https://lists.sourceforge.net/lists/listinfo/web-erp-developers
> >
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

Re: [WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Rafael C. <raf...@gm...>]

Hi Exson,

Yes, I do. I run upgrade4.14.1-4.14.2.sql without the last line (UPDATE
config SET confvalue='4.15' WHERE confname='VersionNumber';).

Also, I reviewed the tables. All tables were created; all fields were added.

About data inserted in fields:
* For those different than `pickreq` and `pickreqdetails`, the information
in recorded OK.
* For `pickreq` and `pickreqdetails`: fields are empty (I am not sure if
that is correct).

Regards, Rafael.

2018-04-26 0:14 GMT-06:00 Exson Qu <hex...@gm...>:

> *Hi, Rafael,*
>
>           I've checked the script.
>           Did you upgrade your database? The salesorders table has added a
> new field internalcomment.
>           When the database has not upgraded, it will choke. Otherwise, I
> cannot find any problem.
>           Best regards!
>           Exson
>
> 2018-04-26 12:25 GMT+08:00 Rafael Chacón <raf...@gm...>:
>
> > Hi,
> >
> > Someone has used the new ConfirmDispatch_Invoice.php? I do, but It does
> not
> > create an invoice (increases systype number, but remains in the last
> > window).
> >
> > Suggestions to troubleshooting ?
> >
> > Best regards, Rafael.
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Web-erp-developers mailing list
> > Web...@li...
> > https://lists.sourceforge.net/lists/listinfo/web-erp-developers
> >
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

Re: [WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Exson Qu <hex...@gm...>]

*Hi, Rafael,*

          I've checked the script.
          Did you upgrade your database? The salesorders table has added a
new field internalcomment.
          When the database has not upgraded, it will choke. Otherwise, I
cannot find any problem.
          Best regards!
          Exson

2018-04-26 12:25 GMT+08:00 Rafael Chacón <raf...@gm...>:

> Hi,
>
> Someone has used the new ConfirmDispatch_Invoice.php? I do, but It does not
> create an invoice (increases systype number, but remains in the last
> window).
>
> Suggestions to troubleshooting ?
>
> Best regards, Rafael.
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

[WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Rafael C. <raf...@gm...>]

Hi,

Someone has used the new ConfirmDispatch_Invoice.php? I do, but It does not
create an invoice (increases systype number, but remains in the last
window).

Suggestions to troubleshooting ?

Best regards, Rafael.

Re: [WebERP-developers] Propose a new release at this weekend

[<ph...@lo...>]

Hi Exson,

I believe Paul is keen to do a release and is working on it.
Also, Rafael noted an issue with ConfirmDispatch_Invoice.php related to 
picking lists

Phil

On 2018-04-25 21:02, ExsonQu wrote:
> *Dear all*
> 
>             Thank you very much for your great contribution to webERP
> project.
>             I suggest we create a new release at this weekend.
>             At this release, we have solve several important issues for
> webERP:
>             1. Some bugs fix for security issues.
>             2. GL balance issues, the code has been changed several 
> times,
> but I believe this is the last time to mention this issue.
>             3. For manufacturing part, there are two gating issue
> encountered:
>                 a. tons of gltrans records created for bom creating or 
> bom
> updated.
>                 b. The WAC cost wrong calculation which cause the 
> amount of
> item cost is unbelievable huge.
>            Issues mentioned above is what I know. And I find a pick 
> request
> feature has been added. It should be great.
>            I am not sure if there are any gating issues.
>            If the answer is NO, let give a new release at this weekend.
>            If any concern, please feel free to let me know.
>            Thanks and best regards!
>            Exson
> 
> 
> 
> --
> Sent from:
> http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Re: [WebERP-developers] Propose a new release at this weekend

[Exson Qu <hex...@gm...>]

Dear Phil,
           Thank you very much!
           I'll check what's happened on the ConfirmDispatch_Invoice issue
today.
           I'm glad to hear that Paul is preparing the new release.
           Best regards!
           Exson

2018-04-26 11:08 GMT+08:00 <ph...@lo...>:

>
> Hi Exson,
>
> I believe Paul is keen to do a release and is working on it.
> Also, Rafael noted an issue with ConfirmDispatch_Invoice.php related to
> picking lists
>
> Phil
>
>
> On 2018-04-25 21:02, ExsonQu wrote:
>
>> *Dear all*
>>
>>             Thank you very much for your great contribution to webERP
>> project.
>>             I suggest we create a new release at this weekend.
>>             At this release, we have solve several important issues for
>> webERP:
>>             1. Some bugs fix for security issues.
>>             2. GL balance issues, the code has been changed several times,
>> but I believe this is the last time to mention this issue.
>>             3. For manufacturing part, there are two gating issue
>> encountered:
>>                 a. tons of gltrans records created for bom creating or bom
>> updated.
>>                 b. The WAC cost wrong calculation which cause the amount
>> of
>> item cost is unbelievable huge.
>>            Issues mentioned above is what I know. And I find a pick
>> request
>> feature has been added. It should be great.
>>            I am not sure if there are any gating issues.
>>            If the answer is NO, let give a new release at this weekend.
>>            If any concern, please feel free to let me know.
>>            Thanks and best regards!
>>            Exson
>>
>>
>>
>> --
>> Sent from:
>> http://weberp-accounting.1478800.n4.nabble.com/web-ERP-devel
>> opers-f1484626.html
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>

[WebERP-developers] Propose a new release at this weekend

[ExsonQu <hex...@gm...>]

*Dear all*

            Thank you very much for your great contribution to webERP
project. 
            I suggest we create a new release at this weekend. 
            At this release, we have solve several important issues for
webERP:
            1. Some bugs fix for security issues.
            2. GL balance issues, the code has been changed several times,
but I believe this is the last time to mention this issue. 
            3. For manufacturing part, there are two gating issue
encountered: 
                a. tons of gltrans records created for bom creating or bom
updated. 
                b. The WAC cost wrong calculation which cause the amount of
item cost is unbelievable huge. 
           Issues mentioned above is what I know. And I find a pick request
feature has been added. It should be great. 
           I am not sure if there are any gating issues.  
           If the answer is NO, let give a new release at this weekend. 
           If any concern, please feel free to let me know.
           Thanks and best regards!
           Exson



--
Sent from: http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html

[WebERP-developers] Proposal a release at this weekend

[ExsonQu <hex...@gm...>]

Dear all, 
   
        It is time to release a new version for webERP. 
        
        Except the issue about ConfirmDispatch_Invoice.php, it seems no more
concerned issues. 
        I'll find sometime to fix this issue later. 

        If there are no more concern, I suggest to give a new release to
webERP. 

        Best regards!
        Exson 




--
Sent from: http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html

[WebERP-developers] ConfirmDispatch_Invoice (new) does not create an invoice.

[Rafael C. <raf...@gm...>]

Hi,

Someone has used the new ConfirmDispatch_Invoice.php? I do, but It does not
create an invoice (increases systype number, but remains in the last
window).

Suggestions to troubleshooting ?

Best regards, Rafael.

Re: [WebERP-developers] Performance issue in Payments.php

[Pak R. <pak...@gm...>]

Many thanks Phil.

My bad, I did not know the change to github. Could you please send me the
relevant info of the repository, so I check it out directly?.


Regards,
Ricard

On 12 March 2018 at 15:30, Phil Daintree <ph...@lo...> wrote:

> Hi Ricard,
>
> Good to hear you are still getting good mileage from webERP
>
> I can't see this SQL in Payments.php now ....
>
> We just recently moved the code to git at github.com due to ongoing
> issues with subversion at sourceforge.
>
> I looked at the history of Payments.php and it looks like Exson changed it
> in July 2017 to look for cheque numbers in supptrans rather than gltrans
>
> https://github.com/webERP-team/webERP/commit/bad8aea522d5e1a
> 2b777999c703b56c5d9441b6c#diff-179bc0f696b3eea3fb4764ee514a6e6a
>
> Phil
>
> Phil Daintree
> +64 (0)275 567890
>
>
> On 12/03/18 14:01, Pak Ricard wrote:
>
>> Hi:
>>
>> Since some months ago, Payments.php goes very slow (some 15-20 seconds)
>> each time a user hit submit with a new GL Analysis line into the payment.
>>
>> If I am not wrong code starts at line 718 until line 782
>>
>> Line 720 is a query against gltrans. This query alone needs around 15-18
>> seconds, which points it as the main cause of the problem here.
>>
>> gltrans has some 5M rows, and we do not use cheque, so gltrans.chequeno =
>> 0
>> for all the rows
>> gltrans index by chequeno is setup
>>
>> If I modify line
>> $ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
>> $_POST['Cheque'] ."'";
>> to
>> $ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
>> $_POST['Cheque'] ."' LIMIT 1";
>>
>> the issue is fixed (instant execution).
>>
>> Payments.php only checks twice if the query got any result, but never read
>> the account returned, so should be no collateral damage.
>>
>> I can't commit to SVN as I changed laptop and could not set it up yet.
>> Could someone please commit it?
>>
>> Regards,
>> Ricard
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

Re: [WebERP-developers] Performance issue in Payments.php

[Phil D. <ph...@lo...>]

Hi Ricard,

Good to hear you are still getting good mileage from webERP

I can't see this SQL in Payments.php now ....

We just recently moved the code to git at github.com due to ongoing 
issues with subversion at sourceforge.

I looked at the history of Payments.php and it looks like Exson changed 
it in July 2017 to look for cheque numbers in supptrans rather than gltrans

https://github.com/webERP-team/webERP/commit/bad8aea522d5e1a2b777999c703b56c5d9441b6c#diff-179bc0f696b3eea3fb4764ee514a6e6a

Phil

Phil Daintree
+64 (0)275 567890

On 12/03/18 14:01, Pak Ricard wrote:
> Hi:
>
> Since some months ago, Payments.php goes very slow (some 15-20 seconds)
> each time a user hit submit with a new GL Analysis line into the payment.
>
> If I am not wrong code starts at line 718 until line 782
>
> Line 720 is a query against gltrans. This query alone needs around 15-18
> seconds, which points it as the main cause of the problem here.
>
> gltrans has some 5M rows, and we do not use cheque, so gltrans.chequeno = 0
> for all the rows
> gltrans index by chequeno is setup
>
> If I modify line
> $ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
> $_POST['Cheque'] ."'";
> to
> $ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
> $_POST['Cheque'] ."' LIMIT 1";
>
> the issue is fixed (instant execution).
>
> Payments.php only checks twice if the query got any result, but never read
> the account returned, so should be no collateral damage.
>
> I can't commit to SVN as I changed laptop and could not set it up yet.
> Could someone please commit it?
>
> Regards,
> Ricard
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers

[WebERP-developers] Performance issue in Payments.php

[Pak R. <pak...@gm...>]

Hi:

Since some months ago, Payments.php goes very slow (some 15-20 seconds)
each time a user hit submit with a new GL Analysis line into the payment.

If I am not wrong code starts at line 718 until line 782

Line 720 is a query against gltrans. This query alone needs around 15-18
seconds, which points it as the main cause of the problem here.

gltrans has some 5M rows, and we do not use cheque, so gltrans.chequeno = 0
for all the rows
gltrans index by chequeno is setup

If I modify line
$ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
$_POST['Cheque'] ."'";
to
$ChequeNoSQL="SELECT account FROM gltrans WHERE chequeno='" .
$_POST['Cheque'] ."' LIMIT 1";

the issue is fixed (instant execution).

Payments.php only checks twice if the query got any result, but never read
the account returned, so should be no collateral damage.

I can't commit to SVN as I changed laptop and could not set it up yet.
Could someone please commit it?

Regards,
Ricard

[WebERP-developers] Fwd: Re: Fwd: Fwd: Stored XSS with Normal user

[Phil D. <ph...@lo...>]

Well that does make it tricky to store html in variables as I do in the

webSHOP setup script.... but yes nicer in some respects. It is only
<script> tag that causes the issues though aye?

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 06/01/18 21:53, Tim Schofield wrote:
> Just insert the following:
>
> $PostVariableValue = strip_tags($PostVariableValue);
>
> at line 54 of session.php. and
>
> $GetValue = strip_tags($GetValue);
>
> at line 73. Removing all HTML tags from input makes more sense than
> doing string replaces.
>
> Tim
>
> On 6 January 2018 at 00:23, Phil Daintree <ph...@lo...> wrote:
>> I received this note below informing us of a cross site scripting issue. Of
>> course it can only be executed by a logged in user so I am not sure it is a
>> major concern.... However, I am wondering if we could avoid such issues by
>> replacing any "script>" strings in $_POST and $_GET variables with "" is
>> there something I've overlooked or a more elegant solution?
>>
>> I just committed this:
>>
>> --- a/trunk/includes/session.php
>> +++ b/trunk/includes/session.php
>> @@ -55,13 +55,14 @@
>>                          if(get_magic_quotes_gpc()) {
>>                                  $_POST['name'] =
>> stripslashes($_POST['name']);
>>                          }
>> - $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
>> +
>> + $_POST[$PostVariableName] =
>> DB_escape_string(str_replace('script>','',$PostVariableValue));
>>                  } else {
>>                          foreach ($PostVariableValue as $PostArrayKey =>
>> $PostArrayValue) {
>>                                  if(get_magic_quotes_gpc()) {
>>                                          $PostVariableValue[$PostArrayKey] =
>> stripslashes($value[$PostArrayKey]);
>>                                  }
>> - $PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
>> + $PostVariableValue[$PostArrayKey] =
>> DB_escape_string(str_replace('script>','',$PostArrayValue));
>>                          }
>>                  }
>>          }
>> @@ -71,7 +72,7 @@
>>          */
>>          foreach ($_GET as $GetKey => $GetValue) {
>>                  if (gettype($GetValue) != 'array') {
>> - $_GET[$GetKey] = DB_escape_string($GetValue);
>> + $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
>>                  }
>>          }
>>
>>
>>
>> Phil
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Shappa Noob* <raj...@gm... <mailto:raj...@gm...>>
>> Date: Thu, Dec 21, 2017 at 12:39 PM
>> Subject: Re: Stored XSS with Normal user
>> To: sec...@we... <mailto:sec...@we...>
>>
>>
>> Hello Team,
>>
>> Also found 2 more Stored Xss below are steps to reproduce the problem
>>
>>
>>
>> 1)Another Stored Xss on http://127.0.0.1:1234/webERP/Factors.php?FactorID=1
>> <http://127.0.0.1:1234/webERP/Factors.php?FactorID=1>
>>
>> Tested with Notmal user able to add stored Xss and also verfied they are
>> getting executed on admin account.
>>
>> Payables->Maintain Factor Compnies->Create New Factor
>>
>> Enter the
>>
>> Company Name <script> alert(1) </script>
>> Address Line 1:<script> alert(2) </script>
>> Address Line 2:<script> alert(3) </script>
>> Address Line 3:<script> alert(4) </script>
>> Address Line 4:<script> alert(5) </script>
>>
>> 2)http://127.0.0.1:1234/webERP/index.php
>> <http://127.0.0.1:1234/webERP/index.php>
>>
>> Receivables->Add Customer ->
>>
>> Enter the script in Inut Text field as below
>>
>> Customer Code 777
>> Customer Name:script> alert(1) </script>
>>
>>
>> Now Just try to view the customer Information
>>
>> Receivables->Select Customer ->Enter a partial Code: 777->Search now->View
>> Customer Details> Stored Xss will get executed.
>>
>>
>>
>> Mitigation:
>>
>> In most situations where user-controllable data is copied into application
>> responses, cross-site scripting attacks can be prevented using two layers of
>> defences:**
>>
>> **
>>
>> *1.*Input should be validated as strictly as possible on arrival, given the
>> kind of content that it is expected to contain. For example, personal names
>> should consist of alphabetical and a small range of typographical
>> characters, and be relatively short; a year of birth should consist of
>> exactly four numerals; email addresses should match a well-defined regular
>> expression. Input which fails the validation should be rejected, not
>> sanitized.**
>>
>> *2.*User input should be HTML-encoded at any point where it is copied into
>> application responses. All HTML meta characters, including < > " ' and =,
>> should be replaced with the corresponding HTML entities (&lt; &gt; etc).**
>>
>> *3.*Implementation of the https://github.com/cure53/DOMPurify/
>> <https://github.com/cure53/DOMPurify/>**
>>
>> Thanks and Regards
>>
>> Shappa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Dec 21, 2017 at 11:20 AM, Shappa Noob <raj...@gm...
>> <mailto:raj...@gm...>> wrote:
>>
>>     HelloTeam,
>>
>>     Any updates on this ?
>>
>>
>>     Thanks
>>
>>
>>     On Fri, Dec 15, 2017 at 8:58 PM, Shappa Noob <raj...@gm...
>>     <mailto:raj...@gm...>> wrote:
>>
>>         Hello Weberp Team,
>>
>>
>>         I have found the stored access on "Fixed Asset Locations" module
>>
>>
>>         Please find the below video to reproduce the problem with normal
>>         user Test (Accountant )
>>
>>
>>         https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh
>>         <https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh>
>>
>>
>>         Thank you
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>

[WebERP-developers] Fwd: Fwd: Stored XSS with Normal user

[Phil D. <ph...@lo...>]

I received this note below informing us of a cross site scripting issue. 
Of course it can only be executed by a logged in user so I am not sure 
it is a major concern.... However, I am wondering if we could avoid such 
issues by replacing any "script>" strings in $_POST and $_GET variables 
with "" is there something I've overlooked or a more elegant solution?

I just committed this:

--- a/trunk/includes/session.php
+++ b/trunk/includes/session.php
@@ -55,13 +55,14 @@
  			if(get_magic_quotes_gpc()) {
  				$_POST['name'] = stripslashes($_POST['name']);
  			}
- $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
+
+ $_POST[$PostVariableName] = 
DB_escape_string(str_replace('script>','',$PostVariableValue));
  		} else {
  			foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
  				if(get_magic_quotes_gpc()) {
  					$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
  				}
- $PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
+ $PostVariableValue[$PostArrayKey] = 
DB_escape_string(str_replace('script>','',$PostArrayValue));
  			}
  		}
  	}
@@ -71,7 +72,7 @@
  	*/
  	foreach ($_GET as $GetKey => $GetValue) {
  		if (gettype($GetValue) != 'array') {
- $_GET[$GetKey] = DB_escape_string($GetValue);
+ $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
  		}
  	}



Phil



---------- Forwarded message ----------
From: *Shappa Noob* <raj...@gm... <mailto:raj...@gm...>>
Date: Thu, Dec 21, 2017 at 12:39 PM
Subject: Re: Stored XSS with Normal user
To: sec...@we... <mailto:sec...@we...>


Hello Team,

Also found 2 more Stored Xss below are steps to reproduce the problem



1)Another Stored Xss on 
http://127.0.0.1:1234/webERP/Factors.php?FactorID=1 
<http://127.0.0.1:1234/webERP/Factors.php?FactorID=1>

Tested with Notmal user able to add stored Xss and also verfied they are 
getting executed on admin account.

Payables->Maintain Factor Compnies->Create New Factor

Enter the

Company Name <script> alert(1) </script>
Address Line 1:<script> alert(2) </script>
Address Line 2:<script> alert(3) </script>
Address Line 3:<script> alert(4) </script>
Address Line 4:<script> alert(5) </script>

2)http://127.0.0.1:1234/webERP/index.php 
<http://127.0.0.1:1234/webERP/index.php>

Receivables->Add Customer ->

Enter the script in Inut Text field as below

Customer Code 777
Customer Name:script> alert(1) </script>


Now Just try to view the customer Information

Receivables->Select Customer ->Enter a partial Code: 777->Search 
now->View Customer Details> Stored Xss will get executed.



Mitigation:

In most situations where user-controllable data is copied into 
application responses, cross-site scripting attacks can be prevented 
using two layers of defences:**

**

*1.*Input should be validated as strictly as possible on arrival, given 
the kind of content that it is expected to contain. For example, 
personal names should consist of alphabetical and a small range of 
typographical characters, and be relatively short; a year of birth 
should consist of exactly four numerals; email addresses should match a 
well-defined regular expression. Input which fails the validation should 
be rejected, not sanitized.**

*2.*User input should be HTML-encoded at any point where it is copied 
into application responses. All HTML meta characters, including < > " ' 
and =, should be replaced with the corresponding HTML entities (&lt; 
&gt; etc).**

*3.*Implementation of the https://github.com/cure53/DOMPurify/ 
<https://github.com/cure53/DOMPurify/>**

Thanks and Regards

Shappa















On Thu, Dec 21, 2017 at 11:20 AM, Shappa Noob <raj...@gm... 
<mailto:raj...@gm...>> wrote:

    HelloTeam,

    Any updates on this ?


    Thanks


    On Fri, Dec 15, 2017 at 8:58 PM, Shappa Noob <raj...@gm...
    <mailto:raj...@gm...>> wrote:

        Hello Weberp Team,


        I have found the stored access on "Fixed Asset Locations" module


        Please find the below video to reproduce the problem with normal
        user Test (Accountant )


        https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh
        <https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh>


        Thank you

Re: [WebERP-developers] new pt_BR translation revised december 2017 trunk

[gilberto d. s. a. <gs...@gm...>]

hi. please today i verified that this file for translation to pt_BR is not
merge with trunck on sourceforce. thanks.

--
gilberto dos santos alves
+5511986465049






2017-12-16 22:20 GMT-02:00 gilberto dos santos alves <gs...@gm...>:

> Hi!
> This is a new pt_BR translation 100% of strings. could be used on 4.14.1
> and after.
> please place these lines at sources.
>
> thanks.
> --
> gilberto dos santos alves
> +5511986465049 <(11)%2098646-5049>
>
>
>
>
>
>

Re: [WebERP-developers] SelectProduct.php Inventory Items Missing the Cost

[Andrew G. <aga...@re...>]

It might be security related?

$CostSecurity = 18; //don't show cost info unless security token 18 available to user

Best Regards,
Andrew Galuski
ResMart LLC.
817.615.3206 (Office)
817.821.0544 (Cell)
www.resmart.com


-----Original Message-----
From: wertthey [mailto:jp...@nu...] 
Sent: Monday, October 23, 2017 11:03 AM
To: web...@li...
Subject: [WebERP-developers] SelectProduct.php Inventory Items Missing the Cost

I had been using 14.11 and Since upgrading noticed that KEY items are now
missing from the SelectProduct.php  Inventory Items page.   It use to show
Cost and Gross margin on the page.  Why where these removed?

<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPCorrectCost.png> 

Now they are missing.  This is a basic accounting piece of information that should be shown right on the part page WITHOUT needing to go to another page.  Below is what is currently shown. 

<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPErrorNOTshowingCost.png> 

Is it possible to put back the code.

Thanks
James





-----
Using weberp since 2004, Thanks for all your hard work!
--
Sent from: http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Web-erp-developers mailing list
Web...@li...
https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Re: [WebERP-developers] SelectProduct.php Inventory Items Missing the Cost

[<ph...@lo...>]

James,

Good news ... this hasn't gone but made so that only folks with 
appropriate permissions can see the margins/cost info. You need to 
modify the roles to add the necessary permission to allow seeing this 
info.

Phil


On 2017-10-23 10:10, wertthey wrote:
> SelectProduct.php  Inventory Items Missing the Cost it use to show 
> Valuable
> information.
> <http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPCorrectCost.png>
> Now it only shows.....
> <http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPErrorNOTshowingCost.png>
> This is basic accounting information and should be shown on this page.  
> Can
> you put the code back?ThanksJames
> 
> 
> 
> -----
> Using and contributing to weberp since 2004, Thanks for all your hard 
> work!
> --
> Sent from:
> http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers

[WebERP-developers] SelectProduct.php Inventory Items Missing the Cost

[wertthey <jp...@nu...>]

SelectProduct.php  Inventory Items Missing the Cost it use to show Valuable
information. 
<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPCorrectCost.png>
Now it only shows.....
<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPErrorNOTshowingCost.png>
This is basic accounting information and should be shown on this page.  Can
you put the code back?ThanksJames



-----
Using and contributing to weberp since 2004, Thanks for all your hard work!
--
Sent from: http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html

[WebERP-developers] SelectProduct.php Inventory Items Missing the Cost

[wertthey <jp...@nu...>]

I had been using 14.11 and Since upgrading noticed that KEY items are now
missing from the SelectProduct.php  Inventory Items page.   It use to show
Cost and Gross margin on the page.  Why where these removed?

<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPCorrectCost.png> 

Now they are missing.  This is a basic accounting piece of information that
should be shown right on the part page WITHOUT needing to go to another
page.  Below is what is currently shown. 

<http://weberp-accounting.1478800.n4.nabble.com/file/t130194/WebERPErrorNOTshowingCost.png> 

Is it possible to put back the code.

Thanks
James





-----
Using weberp since 2004, Thanks for all your hard work!
--
Sent from: http://weberp-accounting.1478800.n4.nabble.com/web-ERP-developers-f1484626.html

Re: [WebERP-developers] Problem with version 14.1

[gilberto d. s. a. <gs...@gm...>]

+1 from me.

--
gilberto dos santos alves
+5511986465049






2017-10-20 19:00 GMT-02:00 Phil Daintree <ph...@lo...>:

> Team,
>
> I upgraded to 14.1 at a customer's site - but there is a bug with prices
> that Exson fixed after 14.1 was released where the price of sales orders
> gets wiped and the invoice created - potentially seriously under cost.... a
> major bug that could damage businesses.
>
> I am thinking another release needs to be made pronto! Any objections or
> development/other bugs that need to be addressed?
>
> --
> Phil
>
> Phil Daintree
> Logic Works Ltd - +64 (0)275 567890
> http://www.logicworks.co.nz
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

[WebERP-developers] Problem with version 14.1

[Phil D. <ph...@lo...>]

Team,

I upgraded to 14.1 at a customer's site - but there is a bug with prices 
that Exson fixed after 14.1 was released where the price of sales orders 
gets wiped and the invoice created - potentially seriously under 
cost.... a major bug that could damage businesses.

I am thinking another release needs to be made pronto! Any objections or 
development/other bugs that need to be addressed?

-- 
Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

Re: [WebERP-developers] EHF / PEPPOL

[<sk...@ii...>]

Hi Phil
I am no longer using WebERP‎. I am now working as a mining engineer. Please unsubscribe me from these emails. Thanks, Simon Kelly sk...@ii...


Sent from my BlackBerry 10 smartphone on the Vodafone network.
  Original Message  
From: ph...@lo...
Sent: Tuesday, 27 June 2017 7:08 AM
To: webERP Developers
Reply To: webERP Developers
Subject: Re: [WebERP-developers] EHF / PEPPOL

Hi Arno,

Interesting initiative... I am not working on this and I am sure 
incentives would be required for any developer to make webERP support 
such.

Would be great to have a Norwegian translation!!

regards
Phil

On 2017-06-26 16:34, Arno Teigseth wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all
> 
> I'm (slowly, when I have time) translating webERP into Norwegian, and
> I like the concept very much.
> 
> Does/could webERP plan for supporting electronic invoicing/messaging
> with PEPPOL?
> 
> In Norway, since July 1st 2017, the Norwegian government refuse all
> invoices that do not comply with PEPPOL/EHF.
> 
> The government also had an open-source communications module,
> "Oxalis", developed: https://github.com/difi/oxalis
> 
> www.digi.no/895242/norsk-friprog-for-elektronisk-faktura
> 
> 
> The government's PEPPOL requirement applies to both invoices and
> credit notes, but the spec for electronic messaging also provides for
> delivery slips, order confirmations, etc. Unsure if they are required
> by the state.
> 
> Info on the Norwegian requirements:
> https://www.anskaffelser.no/leverandorer/slik-moter-du-det-offentliges-k
> rav-til-digitalisering/faktura-og-kreditnota
> 
> best
> Arno
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iEYEARECAAYFAllRi90ACgkQEMIGVCc8BjCeDgCgjVDG1d1plCnz9M79mrRDx96N
> q4AAn02UmBvtn2ng9nbN0SJQMXnZOkc9
> =3Isk
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Web-erp-developers mailing list
Web...@li...
https://lists.sourceforge.net/lists/listinfo/web-erp-developers

Re: [WebERP-developers] EHF / PEPPOL

[<ph...@lo...>]

Hi Arno,

Interesting initiative... I am not working on this and I am sure 
incentives would be required for any developer to make webERP support 
such.

Would be great to have a Norwegian translation!!

regards
Phil

On 2017-06-26 16:34, Arno Teigseth wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all
> 
> I'm (slowly, when I have time) translating webERP into Norwegian, and
> I like the concept very much.
> 
> Does/could webERP plan for supporting electronic invoicing/messaging
> with PEPPOL?
> 
> In Norway, since July 1st 2017, the Norwegian government refuse all
> invoices that do not comply with PEPPOL/EHF.
> 
> The government also had an open-source communications module,
> "Oxalis", developed: https://github.com/difi/oxalis
> 
> www.digi.no/895242/norsk-friprog-for-elektronisk-faktura
> 
> 
> The government's PEPPOL requirement applies to both invoices and
> credit notes, but the spec for electronic messaging also provides for
> delivery slips, order confirmations, etc. Unsure if they are required
> by the state.
> 
> Info on the Norwegian requirements:
> https://www.anskaffelser.no/leverandorer/slik-moter-du-det-offentliges-k
> rav-til-digitalisering/faktura-og-kreditnota
> 
> best
> Arno
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iEYEARECAAYFAllRi90ACgkQEMIGVCc8BjCeDgCgjVDG1d1plCnz9M79mrRDx96N
> q4AAn02UmBvtn2ng9nbN0SJQMXnZOkc9
> =3Isk
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers

[WebERP-developers] EHF / PEPPOL

[Arno T. <arn...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

I'm (slowly, when I have time) translating webERP into Norwegian, and
I like the concept very much.

Does/could webERP plan for supporting electronic invoicing/messaging
with PEPPOL?

In Norway, since July 1st 2017, the Norwegian government refuse all
invoices that do not comply with PEPPOL/EHF.

The government also had an open-source communications module,
"Oxalis", developed: https://github.com/difi/oxalis

www.digi.no/895242/norsk-friprog-for-elektronisk-faktura


The government's PEPPOL requirement applies to both invoices and
credit notes, but the spec for electronic messaging also provides for
delivery slips, order confirmations, etc. Unsure if they are required
by the state.

Info on the Norwegian requirements:
https://www.anskaffelser.no/leverandorer/slik-moter-du-det-offentliges-k
rav-til-digitalisering/faktura-og-kreditnota

best
Arno
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAllRi90ACgkQEMIGVCc8BjCeDgCgjVDG1d1plCnz9M79mrRDx96N
q4AAn02UmBvtn2ng9nbN0SJQMXnZOkc9
=3Isk
-----END PGP SIGNATURE-----