Menu
▾
▴
web-erp-developers
|
From: Phil D. <ph...@lo...> - 2020-07-22 01:38:35
Attachments:
weberp.txt
|
Gents, This looks like it is sent as GET parameter but is not captured by our session cleansing routine? Anyone any ideas? Phil -------- Forwarded Message -------- Subject: Aw: Vulnerabilities in webERP Date: Sat, 18 Jul 2020 10:51:14 +0200 From: Mario Riederer <Mar...@gm...> To: Phil Daintree <ph...@lo...> Hello Phil, thanks for your reply :) I found 2 Cross Site Scripting and 2 SQL Injections in the software. You can find an explanation of the vulnerabilities in the Attachment. Please let me know if you need further help. Best regards, Mario *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr *Von:* "Phil Daintree" <ph...@lo...> *An:* mar...@gm..., "in...@we..." <in...@we...> *Betreff:* Vulnerabilities in webERP Hi Mario, Further to your message to me at Logic Works ... if you could expand on the vulnerabilities please so we can fix. Many thanks Phil -- Phil Daintree 0275 567890 |
|
From: Paul T. <pth...@gm...> - 2020-07-22 02:20:28
|
I'll have to check, might not be until the weekend, though. On Tue, Jul 21, 2020, 21:39 Phil Daintree <ph...@lo...> wrote: > Gents, > > This looks like it is sent as GET parameter but is not captured by our > session cleansing routine? > > Anyone any ideas? > > Phil > -------- Forwarded Message -------- > Subject: Aw: Vulnerabilities in webERP > Date: Sat, 18 Jul 2020 10:51:14 +0200 > From: Mario Riederer <Mar...@gm...> > To: Phil Daintree <ph...@lo...> > > > > Hello Phil, > thanks for your reply :) > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > You can find an explanation of the vulnerabilities in the Attachment. > Please let me know if you need further help. > Best regards, > Mario > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > *Von:* "Phil Daintree" <ph...@lo...> > *An:* mar...@gm..., "in...@we..." <in...@we...> > *Betreff:* Vulnerabilities in webERP > Hi Mario, > > Further to your message to me at Logic Works ... if you could expand on > the vulnerabilities please so we can fix. > > Many thanks > > Phil > > -- > Phil Daintree > 0275 567890 > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
|
From: Rafael C. <raf...@gm...> - 2020-07-22 16:04:40
|
I will check also this week end. Regards, Le mar. 21 juil. 2020 à 20:20, Paul T. <pth...@gm...> a écrit : > I'll have to check, might not be until the weekend, though. > > On Tue, Jul 21, 2020, 21:39 Phil Daintree <ph...@lo...> wrote: > > > Gents, > > > > This looks like it is sent as GET parameter but is not captured by our > > session cleansing routine? > > > > Anyone any ideas? > > > > Phil > > -------- Forwarded Message -------- > > Subject: Aw: Vulnerabilities in webERP > > Date: Sat, 18 Jul 2020 10:51:14 +0200 > > From: Mario Riederer <Mar...@gm...> > > To: Phil Daintree <ph...@lo...> > > > > > > > > Hello Phil, > > thanks for your reply :) > > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > > You can find an explanation of the vulnerabilities in the Attachment. > > Please let me know if you need further help. > > Best regards, > > Mario > > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > > *Von:* "Phil Daintree" <ph...@lo...> > > *An:* mar...@gm..., "in...@we..." <in...@we...> > > *Betreff:* Vulnerabilities in webERP > > Hi Mario, > > > > Further to your message to me at Logic Works ... if you could expand on > > the vulnerabilities please so we can fix. > > > > Many thanks > > > > Phil > > > > -- > > Phil Daintree > > 0275 567890 > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
|
From: gilberto d. s. a. <gs...@gm...> - 2020-07-22 18:50:08
|
hi. reading and soon we return. thanks. -- gilberto dos santos alves +5511986465049 Em ter., 21 de jul. de 2020 às 22:39, Phil Daintree <ph...@lo...> escreveu: > Gents, > > This looks like it is sent as GET parameter but is not captured by our > session cleansing routine? > > Anyone any ideas? > > Phil > -------- Forwarded Message -------- > Subject: Aw: Vulnerabilities in webERP > Date: Sat, 18 Jul 2020 10:51:14 +0200 > From: Mario Riederer <Mar...@gm...> > To: Phil Daintree <ph...@lo...> > > > > Hello Phil, > thanks for your reply :) > I found 2 Cross Site Scripting and 2 SQL Injections in the software. > You can find an explanation of the vulnerabilities in the Attachment. > Please let me know if you need further help. > Best regards, > Mario > *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr > *Von:* "Phil Daintree" <ph...@lo...> > *An:* mar...@gm..., "in...@we..." <in...@we...> > *Betreff:* Vulnerabilities in webERP > Hi Mario, > > Further to your message to me at Logic Works ... if you could expand on > the vulnerabilities please so we can fix. > > Many thanks > > Phil > > -- > Phil Daintree > 0275 567890 > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
|
From: Exson Qu <hex...@gm...> - 2020-07-23 00:32:48
|
Dear all,
I checked these cases yesterday. and following is the summary:
1. GET x-site attack cannot be sanitized by current code
because there is no $_GET set up. We should enhance the code to parse the
uri.
2. The POST injection is a little special since there is no Var
validation in the script mentioned-- GLCashFlowsIndirect.php. It is
easy to fix by adding validation.
We feedback more as I find a solution for x-site attack.
Best regards!
Exson
On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote:
> Gents,
>
> This looks like it is sent as GET parameter but is not captured by our
> session cleansing routine?
>
> Anyone any ideas?
>
> Phil
> -------- Forwarded Message --------
> Subject: Aw: Vulnerabilities in webERP
> Date: Sat, 18 Jul 2020 10:51:14 +0200
> From: Mario Riederer <Mar...@gm...>
> To: Phil Daintree <ph...@lo...>
>
>
>
> Hello Phil,
> thanks for your reply :)
> I found 2 Cross Site Scripting and 2 SQL Injections in the software.
> You can find an explanation of the vulnerabilities in the Attachment.
> Please let me know if you need further help.
> Best regards,
> Mario
> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr
> *Von:* "Phil Daintree" <ph...@lo...>
> *An:* mar...@gm..., "in...@we..." <in...@we...>
> *Betreff:* Vulnerabilities in webERP
> Hi Mario,
>
> Further to your message to me at Logic Works ... if you could expand on
> the vulnerabilities please so we can fix.
>
> Many thanks
>
> Phil
>
> --
> Phil Daintree
> 0275 567890
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
|
|
From: Phil D. <ph...@lo...> - 2020-07-25 05:53:34
|
There is $_GET sanitation in includes/session.php but using this syntax to send the parameter containing the script defeats our sanitation sadly 😢 Phil Phil Daintree +64 (0)275 567 890 > On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote: > > Dear all, > I checked these cases yesterday. and following is the summary: > 1. GET x-site attack cannot be sanitized by current code > because there is no $_GET set up. We should enhance the code to parse the > uri. > 2. The POST injection is a little special since there is no Var > validation in the script mentioned-- GLCashFlowsIndirect.php. It is > easy to fix by adding validation. > > We feedback more as I find a solution for x-site attack. > Best regards! > Exson > > > >> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote: >> >> Gents, >> >> This looks like it is sent as GET parameter but is not captured by our >> session cleansing routine? >> >> Anyone any ideas? >> >> Phil >> -------- Forwarded Message -------- >> Subject: Aw: Vulnerabilities in webERP >> Date: Sat, 18 Jul 2020 10:51:14 +0200 >> From: Mario Riederer <Mar...@gm...> >> To: Phil Daintree <ph...@lo...> >> >> >> >> Hello Phil, >> thanks for your reply :) >> I found 2 Cross Site Scripting and 2 SQL Injections in the software. >> You can find an explanation of the vulnerabilities in the Attachment. >> Please let me know if you need further help. >> Best regards, >> Mario >> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr >> *Von:* "Phil Daintree" <ph...@lo...> >> *An:* mar...@gm..., "in...@we..." <in...@we...> >> *Betreff:* Vulnerabilities in webERP >> Hi Mario, >> >> Further to your message to me at Logic Works ... if you could expand on >> the vulnerabilities please so we can fix. >> >> Many thanks >> >> Phil >> >> -- >> Phil Daintree >> 0275 567890 >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X