I noticed this loop hole in Tally Accounting software. Lets suppose you have a configuration that prevents people from modifying backdated vouchers. You have configured a company with Security Control, preventing of Create/Alter Backdated vouchers.
This works fine and your data entry people can not enter any backdated vouchers - or so you think!
Gateway of Tally contains an option Import Data. Its purpose is to import tally vouchers in XML format. And this option does not seem to bother about verifying if the vouchers are backdated etc. In fact, It does not seem to bother about the security control settings itself. It is perfectly possible for a backdated voucher to be imported!
To import a voucher, you need it to be in XML format. No sweat! You can export a voucher from Tally to XML format. So make an entry in current date, export it using the Export button to XML format, edit the date using *******, import it back to tally using the Import Voucher option and viola! You have created a backdated voucher!
I confirmed this with Tallysolutions and they recognized this vulnerability. Is it fixed in Release 3 BETA?
Tuesday 25 November, 2008
Subscribe to:
Posts (Atom)