c2c-oerpscenario team mailing list archive

["Olivier Dony \(OpenERP\)" <671926@xxxxxxxxxxxxxxxxxx>]

@Open Net Sàrl:
I beg to differ. If you read the description and comments carefully, you will see that:
1. NET-RPC is not a secure protocol, so it cannot be compared to secure XML-RPC at all. This vulnerability has nothing to do with the transmission of unencrypted data.
2. This NET-RPC vulnerability is not exploitable if you are connecting only to trusted servers. Presumably, production end-users are always connected to trusted production servers, so they are not exposed to this.
This perhaps explains why this bugs looks much more critical than it really is.

If you are connecting to non-trusted servers, you are probably not sending sensitive data, so you should be fine using unencrypted XML-RPC.
Now if you really want to use Secure XML-RPC and are in a Windows-only world, you might want to start by analyzing the problem in bug 673775...  you might be able to help find a workaround or even a fix.

-- 
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/671926

Title:
  NET-RPC client-side stack should sanitize pickled data

Status in OpenERP GTK Client:
  Confirmed
Status in OpenERP GTK Client 5.0 series:
  Confirmed
Status in OpenERP Web Client:
  Confirmed
Status in OpenERP Web Client 5.0 series:
  Confirmed

Bug description:
  It's possible to execute arbritrary code on client using net-rpc
  (pickle protocol) see http://nadiana.com/python-pickle-insecure

  If you use the client to connect to some demo server and this demo
  server is malicious, it can send malicious code which is executed in
  client side.

  I attach a exploit server who sends code to execute to client. Run a
  ls -l and redirect the output to proof_of_exploit.txt file.

  This bug was fixed in the server, but not in the client.
  Affects versions 4.2, 5.X and 6.X