2,001 Reply by apmuthu

(3 replies, posted in Report Bugs here)

There was a CSRF case for a while in FA v2.3.12 stated in my post then.

The said file admin/users.php was last modified on 2015-05-10.

The Exploit form when submitted will return the following:

{
    "id":"0"
   ,"js":[
    {
    "n":"up"
   ,"t":"_page_body"
   ,"why":"_page_body"
   ,"data":"<br><br><form method='post' action='\/frontaccounting\/admin\/users.php?' name='loginform'>\n<center><table class='login' cellpadding='2' cellspacing='0'>\n<tr>\n<td align='center' colspan=2><a target='_blank' href='http:\/\/frontaccounting.com'><img src='..\/themes\/default\/images\/logo_frontaccounting.png' alt='FrontAccounting' height='50' onload='fixPNG(this)' border='0' ><\/a><\/td>\n<\/tr>\n<tr><td colspan=2 class='tableheader'>Version 2.4.3   Build 04.02.2018 - Login<\/td><\/tr>\n<tr><td class='label'>User name<\/td><td><input  type=\"text\" name=\"user_name_entry_field\" size=\"20\" maxlength=\"30\" value=\"\"><\/td>\n<\/tr>\n<tr><td class='label'>Password:<\/td><td ><input type='password' name='password' size=20 maxlength=20 value='' ><\/td>\n<\/tr>\n<tr><td>Company<\/td><td><select name='company_login_name'>\n<option value=0 selected>Default24 Company<\/option><option value=1 >Training24 Co<\/option><option value=2 >South Africa Company<\/option><\/select>\n<\/td><\/tr><tr>\n<td colspan=2 align='center' id='log_msg'>Please login here<\/td>\n<\/tr>\n<\/table><\/center>\n<br><input type='hidden' id=ui_mode name='ui_mode' value='' >\n<center><input type='submit' value='&nbsp;&nbsp;Login -->&nbsp;&nbsp;' name='SubmitUser' onclick='set_fullmode();' ><\/center>\n<input type='hidden' name='show_inactive' value=''><input type='hidden' name='user_id' value='Newadmin'><input type='hidden' name='real_name' value='New Admin'><input type='hidden' name='phone' value=''><input type='hidden' name='email' value=''><input type='hidden' name='role_id' value='8'><input type='hidden' name='language' value='C'><input type='hidden' name='pos' value='1'><input type='hidden' name='print_profile' value=''><input type='hidden' name='rep_popup' value='1'><input type='hidden' name='ADD_ITEM' value='Add new'><input type='hidden' name='_focus' value='user_id'><input type='hidden' name='_modified' value='0'><input type='hidden' name='_confirmed' value=''><input type='hidden' name='_token' value='Ta6aiT2xqlL2vg8u9aAvagxx'><input type='hidden' name='_random' value='757897.6552143205\r\n'><br><input type=\"hidden\" name=\"_focus\" value=\"user_id\"><input type=\"hidden\" name=\"_modified\" value=\"0\"><input type=\"hidden\" name=\"_confirmed\" value=\"\"><input type=\"hidden\" name=\"_token\" value=\"A83xncEdy_cwjfrIEHd03wxx\"><\/form>\n<script language='JavaScript' type='text\/javascript'>\n    \/\/<![CDATA[\n            <!--\n            document.forms[0].user_name_entry_field.select();\n            document.forms[0].user_name_entry_field.focus();\n            \/\/-->\n    \/\/]]>\n    <\/script>"
    }
   ,{
    "n":"js"
   ,"why":true
   ,"data":"document.forms[0].password.focus();"
   }
   ]
   ,"text":""
}

When the exploit form was submitted after having logged in, the following page is output:

{
    "id":"0"
   ,"js":[
    {
    "n":"up"
   ,"t":"_page_body"
   ,"why":"_page_body"
   ,"data":"<form method='post' action='\/frontaccounting\/admin\/users.php' >\n<center><table class='tablestyle' cellpadding='2' cellspacing='0'>\n<tr>\n<td class='tableheader' >User login<\/td>\n<td class='tableheader' >Full Name<\/td>\n<td class='tableheader' >Phone<\/td>\n<td class='tableheader' >E-mail<\/td>\n<td class='tableheader' >Last Visit<\/td>\n<td class='tableheader' >Access Level<\/td>\n<td class='tableheader' ><\/td>\n<td class='tableheader' ><\/td>\n<\/tr>\n<tr class='evenrow'>\n<td >admin<\/td>\n<td >Administrator<\/td>\n<td ><\/td>\n<td ><a href='mailto:adm@example.com'>adm@example.com<\/a><\/td>\n<td nowrap>02\/21\/2018<\/td>\n<td >System Administrator<\/td>\n<td align='center'><button type='submit' class='editbutton' name='Edit1' value='1' title='Edit' ><img src='..\/themes\/default\/images\/edit.gif' style='vertical-align:middle;width:12px;height:12px;border:0;' >\n<\/button>\n<\/td><td ><\/td>\n<\/tr>\n<tr><td colspan=8><div style='float:left;'><input type='checkbox' name='show_inactive' value='1' onclick='JsHttpRequest.request(\"_show_inactive_update\", this.form);' >\nShow also Inactive<\/div><div style='float:right;'><button class=\"inputsubmit\" type=\"submit\" style='display:none;' name=\"Update\"  id=\"Update\" value=\"Update\"><span>Update<\/span><\/button>\n<\/div><\/td><\/tr><\/table><\/center>\n<br><center><table class='tablestyle2' cellpadding='2' cellspacing='0'>\n<tr><td class='label'>User Login:<\/td><td><input  type=\"text\" name=\"user_id\" size=\"22\" maxlength=\"20\" value=\"Newadmin\"><\/td>\n<\/tr>\n<tr><td class='label'>Password:<\/td><td ><input type='password' name='password' size=20 maxlength=20 value='' ><\/td>\n<\/tr>\n<tr><td class='label'>Full Name:<\/td><td><input  type=\"text\" name=\"real_name\" size=\"50\" maxlength=\"50\" value=\"New Admin\" ><\/td>\n<\/tr>\n<tr><td class='label'>Telephone No.:<\/td><td><input  type=\"text\" name=\"phone\" size=\"30\" maxlength=\"30\" value=\"\" ><\/td>\n<\/tr>\n<tr><td class='label'>Email Address:<\/td><td><input  type=\"text\" name=\"email\" size=\"50\" maxlength=\"50\" value=\"\" ><\/td>\n<\/tr>\n<tr><td class='label'>Access Level:<\/td><td><span id='_role_id_sel'><select id='role_id' autocomplete='off'  name='role_id' class='combo' title='' ><option selected  value='8'>AP Officer<\/option>\n<option   value='7'>AR Officer<\/option>\n<option   value='1'>Inquiries<\/option>\n<option   value='9'>Accountant<\/option>\n<option   value='5'>Production Manager<\/option>\n<option   value='6'>Purchase Officer<\/option>\n<option   value='3'>Salesman<\/option>\n<option   value='4'>Stock Manager<\/option>\n<option   value='10'>Sub Admin<\/option>\n<option   value='2'>System Administrator<\/option>\n<\/select>\n<\/span>\n<\/td>\n<\/tr>\n<tr><td class='label'>Language:<\/td><td><span id='_language_sel'><select autocomplete='off'  name='language' class='combo' title=''><option selected value='C'>English<\/option>\n<\/select>\n<\/span>\n<\/td>\n<\/tr>\n<tr><td class='label'>User's POS:<\/td>\n<td><span id='_pos_sel'><select id='pos' autocomplete='off'  name='pos' class='combo' title='' ><option selected  value='1'>Default<\/option>\n<\/select>\n<\/span>\n<\/td><\/tr>\n<tr><td class='label'>Printing profile:<\/td>\n<td><span id='_print_profile_sel'><select autocomplete='off'  name='print_profile' class='combo' title=''><option selected value=''>Browser printing support<\/option>\n<option  value='Central'>Central<\/option>\n<option  value='Out of office'>Out of office<\/option>\n<option  value='Sales Department'>Sales Department<\/option>\n<\/select>\n<\/span>\n<input  type='submit' class='combo_select' style='border:0;background:url(..\/themes\/default\/images\/button_ok.png) no-repeat;display:none;' aspect='fallback' name='_print_profile_update' value=' ' title='Select'> \n<\/td><\/tr>\n<tr><td class='label'>Use popup window for reports:<\/td><td ><input checked type='checkbox' name='rep_popup' value='1' title='Set this option to on if your browser directly supports pdf files' >\n<\/td><\/tr>\n<\/table><\/center>\n<br><center><button class=\"ajaxsubmit\" type=\"submit\" aspect='default'  name=\"ADD_ITEM\"  id=\"ADD_ITEM\" value=\"Add new\"><img src='..\/themes\/default\/images\/ok.gif' height='12' alt=''><span>Add new<\/span><\/button>\n<\/center><input type=\"hidden\" name=\"_focus\" value=\"user_id\"><input type=\"hidden\" name=\"_modified\" value=\"0\"><input type=\"hidden\" name=\"_confirmed\" value=\"\"><input type=\"hidden\" name=\"_token\" value=\"xug4LnCbMhztG65aZRdVUgxx\"><\/form>\n<center><center><table width='20%' cellpadding='2' cellspacing='0'>\n<tr>\n<td align=center><a href='javascript:goBack();'>Back<\/a><\/td>\n<\/tr>\n<\/table><\/center>\n<\/center><br>"
    }
   ,{
    "n":"fc"
   ,"why":true
   ,"data":"user_id"
   }
   ,{
     "n":"js"
    ,"why":"editors"
    ,"data":"editors = [  ];"
    }
    ]
   ,"text":"<div class='err_msg'>Request from outside of this page is forbidden.<\/div>"
}

Hence it is seen that it is not affected.
The hidden field _token is present in the form and is checked by the server side and hence protects it from malicious submitted data.
This was tested in the FA 2.4.3+ Current Git Master using PHP 5.3.1 on XAMPP 1.7.3. If this issue persists in other installs, indicate versions of PHP / MySQL / WebServer used.

Go to forum: Report Bugs here

2,002 Reply by apmuthu

(1 replies, posted in Setup)

Create a custom report. See rep114.php - Sales Summary Report for example code.

Go to forum: Setup

2,003 Reply by apmuthu

(7 replies, posted in Setup)

The default FA install will have Price After Tax - hence add whatever tax you want in each line item of a Direct Sales Invoice Entry Form. The tax reporting is based on tax per item. That is why we have item tax. The default Sales Invoice PDF does not have the individual taxes but the total tax included as a summary line.

Go to forum: Setup

2,004 Reply by apmuthu

(86 replies, posted in Modules Add-on's)

Use the normal Web UI for FA and navigate to the screen that provides for the sales price and taxes you want. Study the code behind it and see what functions provide them and use those functions by extending the API to do what you need. Also study the ERDs in the Wiki at:
https://frontaccounting.com/fawiki/index.php?n=Devel.ERDiagram23
https://frontaccounting.com/fawiki/index.php?n=Devel.ERDiagram24

Go to forum: Modules Add-on's

2,005 Reply by apmuthu

(9 replies, posted in Fixed Assets)

Possibly a depreciation class to which each asset can pertain....

@joe: ??

Go to forum: Fixed Assets

2,006 Reply by apmuthu

(86 replies, posted in Modules Add-on's)

You cannot get the price and price after tax from the inventory item call.
You need to make a tax call and some other calls - check out the various API constructs as to what will get you what you want. If there is a value in some table's field that is not there in the standard API calls, let us know.

Go to forum: Modules Add-on's

2,007 Reply by apmuthu

(4 replies, posted in Reporting)

Place the images somewhere and put in html code to achieve it. Reporting is based on TCPDF/fpdf/Cpdf and the derived class is in reporting/includes/pdf_report.inc. Take professional assistance for report formatting if you cannot do it yourself - post your offer and bounty in the Job Offers board. The header logo can be enabled for header image. See the config.php file and the sys_prefs table.

Go to forum: Reporting

2,008 Reply by apmuthu

(4 replies, posted in Reporting)

Read the Report Signature heading in the Wiki and the corresponding post.

Go to forum: Reporting

2,009 Topic by apmuthu

(4 replies, posted in Misc. Charts of Accounts)

Tested the following in a non default company.

1. Fresh install based on en_US-demo.sql
2. Take backup 1
3. Setup => Access Setup
4. Choose System Administrator Role
5. Click Save Role
6. Take  backup 2
7. Compare backup 1 and backup 2:

The backup 1 has these permissions for System Administrator:

256;257;258;259;260;

The backup 2 does not have these anymore, all other permissions are the same.

When the permissions for the Fixed Asset Configuration is ticked for the System Administrator and the Role saved, the extra permission that appears for the said role is: 9216.

@joe: Are there any defaults hardcoded in the scripts that may be in error?

Go to forum: Misc. Charts of Accounts

2,010 Reply by apmuthu

(4 replies, posted in Report Bugs here)

It currently appears to be coded into these 3 places. In others $rel and the $selector are used. In yet others, the search box context is used.

@joe: What is the intended way of using it?

Go to forum: Report Bugs here

2,011 Topic by apmuthu

(4 replies, posted in Report Bugs here)

In Setup => Display Setup there is a checkbox for enabling hints for new users. Where do these hints come from? Is there a hints table missing in FA? All places where it should be displayed, the following code is present:

(user_hints() ? "<span id='hints'></span>" : '')

Is this some sort of Ajax implementation reserved for custom themes? Even then, these hints must come from somewhere - a table or an array of hints.

Go to forum: Report Bugs here

2,012 Reply by apmuthu

(18 replies, posted in Modules Add-on's)

The latest version is attached herein and complies with changes in the 2017-12-19 core commit for VARLOG_PATH and VARLIB_PATH (the latter is exclusively used herein as per relevant core inclusions).

CHANGELOG

Go to forum: Modules Add-on's

2,013 Reply by apmuthu

(6 replies, posted in Fixed Assets)

This is by design as each asset should be depreciated separately.

Go to forum: Fixed Assets

2,014 Reply by apmuthu

(86 replies, posted in Modules Add-on's)

Look at overwritten Lines 109,110 in api24/sales.inc:

$info[$sale_index]['ov_discount'] = $trans['ov_discount'];
$info[$sale_index]['ov_discount'] = $trans['Total'];

The above has been corrected and committed in my repo.

Also the VARLIB commit in the core has not been updated as yet in this module but committed in my repo.

The URLs for sales (TRANS_TYPE = 10 for Sales Invoices) are like:

http://www.example.com/frontac24/modules/api24/sales/<TRANS_TYPE>
http:// www.example.com/frontac24/modules/api24/sales/<TRANS_NO>/<TRANS_TYPE>
http:// www.example.com/frontac24/modules/api24/sales/<TRANS_NO>/<TRANS_TYPE>?page=<PAGE_NO>

Note the order of the attributes in the last 2 URLs above.
The api24/config_api.inc has the constant RESULTS_PER_PAGE defined in it.

Both work okay in my version. For Transaction Number 2 in Transaction Type Sales Invoice (10) the output is:

{
 "ref":"002\/2017"
,"comments":""
,"order_date":"05\/07\/2017"
,"payment":"4"
,"payment_terms":{
    "0":"4"
   ,"terms_indicator":"4"
   ,"1":"Cash Only"
   ,"terms":"Cash Only"
   ,"2":"0"
   ,"days_before_due":"0"
   ,"3":"0"
   ,"day_in_following_month":"0"
   ,"4":"0"
   ,"inactive":"0"
   ,"5":"1"
   ,"cash_sale":"1"
 }
,"due_date":"05\/07\/2017"
,"phone":""
,"cust_ref":""
,"delivery_address":"N\/A"
,"ship_via":"1"
,"deliver_to":"Donald Easter LLC"
,"delivery_date":"05\/07\/2017"
,"location":"DEF"
,"freight_cost":"0"
,"email":""
,"customer_id":"1"
,"branch_id":"1"
,"sales_type":"1"
,"dimension_id":"0"
,"dimension2_id":"0"
,"line_items":
 [
  {
     "id":"6"
    ,"stock_id":"101"
    ,"qty":1
    ,"units":"each"
    ,"price":"300"
    ,"discount":"0"
    ,"description":"iPad Air 2 16GB"
  }
 ]
,"sub_total":300
,"display_total":300
}

Go to forum: Modules Add-on's

2,015 Reply by apmuthu

(114 replies, posted in Reporting)

It is possible you are using an outdated / incompatible Chart of Accounts. The one in the official repo has it's field order for some tables different from the en_US-new.sql apart from some other changes. What "files" did you copy over?

Make a new install of FA 2.4.3+ by taking the files from the GitMaster that has all the fixes needed as well. Now place the corrected Canadian Chart of Accounts from the FA24extensions repo and place it in your sql folder.

Now make your tax rate entries and fill in some data and check if your problem still remains.

@joe: is this tax scenario prone to such errors?

Go to forum: Reporting

2,016 Reply by apmuthu

(8 replies, posted in Accounts Receivable)

@boxygen: The database integrity will be affected as 1 Sales Order is related to 1 or more Customer Deliveries but 1 Customer Delivery  pertains to just 1 Sales Order as the latter has the Cust_Branch defined in it.

@stefan: Sales Order Tracking will then have to be manual on the description / memo fields.

The best way is to make a new Sales Order for another cust_branch and edit / move over the subset of items that need to emanate from that other cust_branch to it and effect delivery from it.

Go to forum: Accounts Receivable

2,017 Reply by apmuthu

(2 replies, posted in Banking and General Ledger)

@joe: nice addition for all such popup pages if popups are enabled.

Go to forum: Banking and General Ledger

2,018 Reply by apmuthu

(9 replies, posted in Fixed Assets)

Take a backup.
Enter one such depreciation record.
Take another backup and see what SQL INSERTs/ UPDATEs are needed.
Restore from first backup.
Make SQL statements for all depreciations and then import them into the DB.

Go to forum: Fixed Assets

2,019 Reply by apmuthu

(1 replies, posted in Banking and General Ledger)

At the moment in the default FA - no.
You can however change the code of the dropdown select box to restrict it to the same branch that the sales order emanated from.

Go to forum: Banking and General Ledger

2,020 Reply by apmuthu

(9 replies, posted in FA Modifications)

A non alphabetical first char being omitted before sorting....
Thanks - hope this helps someone.

There was no difference in FA 2.3.26 - wonder what made this necessary now.

Go to forum: FA Modifications

2,021 Reply by apmuthu

(8 replies, posted in Accounts Receivable)

Split the Sales Order across 2 different branches as separate ones and then effect the deliveries accordingly.

Go to forum: Accounts Receivable

2,022 Reply by apmuthu

(8 replies, posted in Accounts Receivable)

A sales order is specific to a Customer Branch in FA as of now.

Go to forum: Accounts Receivable

2,023 Reply by apmuthu

(4 replies, posted in Report Bugs here)

The Customer Balance may be because of payments received but not allocated to appropriate bills which may ppear unpaid.

Go to forum: Report Bugs here

2,024 Reply by apmuthu

(1 replies, posted in Report Bugs here)

Try to upgrade to the latest GitMaster version since there have been several bugfixes since the FA 2.4.3 release version. You can overwrite with the changed files and adjust for the new constants in the config files and small changes in the db data (sys_prefs table).

Check if the customers have any credit bills pending.

Go to forum: Report Bugs here

2,025 Reply by apmuthu

(6 replies, posted in Setup)

@franaxx: Thankyou for the feedback.

@joe: can make it part of the official pkg repo.

Go to forum: Setup