c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #08261
[Bug 618674] Re: [5.0] HTTP Request Smuggling possible in 5.0
To be more precise: the warning you saw was just a security measure of
the browser because the former Ajax library tried to set a header that
cannot be manually set. This was useless and not harmful in any way, and
is now removed.
The attack you refer to is simply the reason why modern browsers refuse
to let the Ajax callers set these headers, and this is about a
vulnerability of Proxies and Web Gateway, and is not a concern for
OpenERP.
** Visibility changed to: Public
** This bug is no longer flagged as a security vulnerability
** Changed in: openobject-client-web
Importance: Critical => Low
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/618674
Title:
[5.0] HTTP Request Smuggling possible in 5.0
Status in OpenObject Web Client:
Fix Released
Bug description:
Hi
I found an issue when i configure the web client with reverse proxy
I use Chromuim (Chrome web browser) and i activate the javascript console, after login, i see the menu and in my console i see:
- Refused to set unsafe header "Connection"
- Refused to set unsafe header "Content-length"
After some search on the web, i found this article http://www.owasp.org/index.php/HTTP_Request_Smuggling and explain how to exploi this issue with embeded a second http request in the first one
Regards,