How White-Box hacking works: Scipio ERP, RCE/CSRF and Co

Why Scipio ERP (v2.0.0):

  • 240 stars on Github
  • Apache-2.0 License
  • Java

The mentioned vulnerabilities were found and exploited by Ihor Voschyk and Darina Honcharenko, October 24, 2020.

Remote Code Execution

Severity: Critical
To reproduce the issue, navigate to /admin/control/ProgramExport and paste a groovy script to execute any code on the server. 

Local File Disclosure

Severity: High

Navigate to /cms/control/editTemplate and create a template:

Then use file://../../../../any/file as a template location and press “Save” on the top:

Arbitrary File Deletion

Severity: Medium

Go to /cms/control/CmsDataExport. Set the file name to override in “Single Filename” field, select any preset and press “export”.

The file will be overwritten with XML:

User enumeration

Severity: Medium
The application responds with a “user not found” message if a user does not exist. This makes guessing of correct logins possible.

Authorization Bypass (Cross-Site Request Forgery)

Severity: Medium

The application does not use any means of anti-CSRF protection, which means it’s possible to lure users to arbitrary pages and take action on legitimate Scipio ERP applications on their behalf. We were able to achieve RCE through CSRF vulnerability, thus effectively bypassing the authorization.


The overall security level of Scipio ERP application v2.0.0 is determined as: Low.

Users should be aware that Scipio_ERP team acknowledged the User Enumeration vulnerability only. Risk of other vulnerabilites was accepted – “All but one of the security vulnerabilities are by design”.

LL advises to all the researchers do not break real applications illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich.