Security issue: SQL injection
Bug #422563 reported by
Cédric Krier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
I found a security hole in OpenERP that allows anybody with a login access to
retrieve/
I have an exploit script that retrieve or modify the admin password as proof
of concept.
The exploit works with XML-RPC, NET-RPC and also on eTiny and has been there
since at least version 3.4.2 (I could not check previous versions because the
source are no longer available).
I have written a patch that fix the hole.
Changed in openobject-server: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
visibility: | public → private |
visibility: | private → public |
description: | updated |
visibility: | public → private |
visibility: | private → public |
To post a comment you must log in.
Hello Cédric Krier,
Fixed the hole by revision 1853 <email address hidden>.
Thank you very much.