c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #15287
[Bug 671926] Re: NET-RPC client-side stack should sanitize pickled data
@Open Net Sàrl:
I beg to differ. If you read the description and comments carefully, you will see that:
1. NET-RPC is not a secure protocol, so it cannot be compared to secure XML-RPC at all. This vulnerability has nothing to do with the transmission of unencrypted data.
2. This NET-RPC vulnerability is not exploitable if you are connecting only to trusted servers. Presumably, production end-users are always connected to trusted production servers, so they are not exposed to this.
This perhaps explains why this bugs looks much more critical than it really is.
If you are connecting to non-trusted servers, you are probably not sending sensitive data, so you should be fine using unencrypted XML-RPC.
Now if you really want to use Secure XML-RPC and are in a Windows-only world, you might want to start by analyzing the problem in bug 673775... you might be able to help find a workaround or even a fix.
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/671926
Title:
NET-RPC client-side stack should sanitize pickled data
Status in OpenERP GTK Client:
Confirmed
Status in OpenERP GTK Client 5.0 series:
Confirmed
Status in OpenERP Web Client:
Confirmed
Status in OpenERP Web Client 5.0 series:
Confirmed
Bug description:
It's possible to execute arbritrary code on client using net-rpc
(pickle protocol) see http://nadiana.com/python-pickle-insecure
If you use the client to connect to some demo server and this demo
server is malicious, it can send malicious code which is executed in
client side.
I attach a exploit server who sends code to execute to client. Run a
ls -l and redirect the output to proof_of_exploit.txt file.
This bug was fixed in the server, but not in the client.
Affects versions 4.2, 5.X and 6.X