webERP Forum
Unresolved security problem - Printable Version

+- webERP Forum (http://www.weberp.org/forum)
+-- Forum: webERP Discussion (/forumdisplay.php?fid=1)
+--- Forum: Problems / Bugs? (/forumdisplay.php?fid=8)
+--- Thread: Unresolved security problem (/showthread.php?tid=8327)



Unresolved security problem - falkoner - 03-02-2019 07:29 PM

I posted about this the other day, but rather than fixing the issue Phil deleted my post. Deleting reports about problems is NOT a substitute for fixing them:

A few weeks ago I was notified of a potential security issue with webERP. It came with complete details, and sample data to prove the issue.

This notification comes from a consultant from a French security company that I have verified as being a legitimate company. They had previously tried the email address that is supposed to be used for such reports but had received no reply, and so contacted me direct.

I passed this on to Phil as it relates his code as this is the normal courteous thing to do in such circumstances. He didn't reply, so both myself and the original reporter tried again, this time including some others who are listed as project admins. We didn't receive a reply.

I am now posting here, without giving away any details of the vulnerability in the hope it gets picked up and sorted. If this has been fixed (I cannot see a commit on github) or the original report is considered incorrect, then please notify me so I can remove this from my list.

Tim


RE: Unresolved security problem - falkoner - 03-07-2019 02:59 AM

A quick update. After discussions with Paul T and the original reporter a solution is on it's way.

It seems to me that this has highlighted a problem. If somebody makes the effort to report a security vulnerability in webERP then that person deserves more respect than to be ignored for weeks. It got embarrassing as the only contact he was getting was through me as the admins were ignoring him. He could have gone public with this vulnerability (less scrupulous security consultants would have done) but he has waited till we get a solution out there.

The current procedures clearly didn't work in this instance, perhaps they need looking at?

Tim