# Title: webERP Multiple Vulnerabilities # Author: ADEO Security # Published: 30/06/2010 # Version: 3.11.4 (Possible all versions) # Vendor: http://www.weberp.org # Description: "webERP is a complete web based accounting/ERP system that requires only a web-browser and pdf reader to use. It has a wide range of features suitable for many businesses particularly distributed businesses in wholesale and distribution. It is developed as an open-source application and is available as a free download to use. The feature set is continually expanding as new businesses and developers adopt it.There are on average 5,000 downloads per month." # Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs - Mail: security[AT]adeo.com.tr - Web: http://security.adeo.com.tr # Vulnerabilities: 1) CSRF: Attacker can add new administrator to the system. All files have this issue. See #PoC section. 2) SQL Injection: Application offer disable the magic_quotes_gpc. Attacker can inject sql codes if exploit the CSRF vulnerability. HTTP Requests must filtered. # PoC (CSRF):