c2c-oerpscenario team mailing list archive

Thread
Date

[Bug 632927] Re: User password should not be displayed/sent

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: "hda \(OpenERP\)" <hda@xxxxxxxxxxx>
Date: Tue, 28 Dec 2010 06:40:46 -0000
Reply-to: Bug 632927 <632927@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: openobject-server
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/632927

Title:
  User password should not be displayed/sent

Status in OpenObject Server:
  In Progress

Bug description:
  Hi,

The user password is shown in cleartext in the Preference page source, this allow an attaquant to steal the password from the user.

Steps to reproduce:
1. Log in the web client
2. Go the Preferences (top-right button)
3. Show the page source, search for id="password" ... the <input/> element contain the value="PASSWORD".

The password should always be anonymized between the user and the web client.
A better approch could be:
  Always send ********, because if the user want to change his password he need to re-type it entirely anyway. So if the web client received anything other than ******** then, and only then it should write the password to the server!.

(NB: This bug was reported by an external Security Consultant during an OpenERP security audit of one of our customer)