Unresolved security problem
I posted about this the other day, but rather than fixing the issue Phil deleted my post. Deleting reports about problems is NOT a substitute for fixing them:
A few weeks ago I was notified of a potential security issue with webERP. It came with complete details, and sample data to prove the issue.
This notification comes from a consultant from a French security company that I have verified as being a legitimate company. They had previously tried the email address that is supposed to be used for such reports but had received no reply, and so contacted me direct.
I passed this on to Phil as it relates his code as this is the normal courteous thing to do in such circumstances. He didn't reply, so both myself and the original reporter tried again, this time including some others who are listed as project admins. We didn't receive a reply.
I am now posting here, without giving away any details of the vulnerability in the hope it gets picked up and sorted. If this has been fixed (I cannot see a commit on github) or the original report is considered incorrect, then please notify me so I can remove this from my list.
Tim
|