c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #07339
[Bug 671926] Re: Remote code execution
** Patch added: "Add the missing cStringIO import"
https://bugs.launchpad.net/openobject-client/+bug/671926/+attachment/1760728/+files/patch_tiny_socket2.diff
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/671926
Title:
Remote code execution
Status in OpenObject GTK Client:
Confirmed
Status in OpenObject GTK Client 5.0 series:
Confirmed
Status in OpenObject Web Client:
Confirmed
Status in OpenObject Web Client 5.0 series:
Confirmed
Bug description:
It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure
If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side.
I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file.
This bug was fixed in the server, but not in the client.
Affects versions 4.2, 5.X and 6.X