An important heads up - a serious hole has been discovered - my fault
sorry everyone... the script
GLTrialBalance_csv.php
should be removed from your installation immediately.
This script allows anyone to access your general ledger trial balance!
Phil
-------- Original Message --------
Subject: Re: Serious security issue
Date: Thu, 20 Feb 2014 08:48:21 +0800
From: Exson Qu <hex...@gm...>
To: Phil Daintree <ph...@lo...>
*Hi, Phil,
*
Thank you for your prompt reply.
Yes. A heads up is needed since it's too dangerous for
those put webERP on internet. Just google the login screen and you'll
get lots of company's TB via this method.
Thanks and best regards!
Exson
2014-02-20 1:25 GMT+08:00 Phil Daintree <ph...@lo...
<mailto:ph...@lo...>>:
I see jo has fixed it.
Perhaps i should publish a heads up.
On 20 February 2014 12:55:47 AM NZDT, Exson Qu <hex...@gm...
<mailto:hex...@gm...>> wrote:
*Hi, Phil,*
The affected version is since 4630 which add
$AllowAnyone Check in session.inc which make the security
absolutely broken.
We can temporary remove the and !$AllowAnyone check in
line 335. It'll check the formID to block those non-authority
users. But an authority user still can work this around.
And same problem lies in scripts:
RecurringSalesOrdersProcess.php.
The problem is that system judge a login status by
$_SESSION['DatabaseName'] has been set or not.
And the $AllowAnyone has broken the last formID
security check.
Thank you for your attention!
Thanks and best regards!
Exson
|
