Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
*** Serious vulnerability
02-19-2014, 10:30 PM
Post: #11
RE: *** Serious vulnerability
The macro _must_ authenticate or otherwise by definition the data is available for anybody to view.

Tim
Visit this user's website Find all posts by this user
Quote this message in a reply
02-19-2014, 10:38 PM
Post: #12
RE: *** Serious vulnerability
(02-19-2014 10:30 PM)Forums Wrote:  The macro _must_ authenticate or otherwise by definition the data is available for anybody to view.

Tim
That's correct, but there are other ways to feed the macro most likely.

Is there any vulnerability reporting and fix process for webERP? I think it could be useful to have even though the use might occur rarely. Might help so we don't feed anyone that might be bored enough to want to go play with their new found knowledge.
Find all posts by this user
Quote this message in a reply
02-19-2014, 11:22 PM
Post: #13
RE: *** Serious vulnerability
Agreed
Visit this user's website Find all posts by this user
Quote this message in a reply
02-19-2014, 11:27 PM
Post: #14
RE: *** Serious vulnerability
More generally, and as per my prior post in this thread, this highlighted to me some other possible issues so I'll be looking at session.inc and ConnectDB especially in reference to the $_SESSION['DatabaseName'] and how it is used in the code, more generally. I think it is worth a review.
Find all posts by this user
Quote this message in a reply
02-20-2014, 02:35 AM
Post: #15
RE: *** Serious vulnerability
Thank you Tim and Icedlava for the warning
Find all posts by this user
Quote this message in a reply
02-20-2014, 01:00 PM
Post: #16
RE: *** Serious vulnerability
Sorry my bad ... should be using the API for this function - I need to send an advice to the mailing list too.

Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: