c2c-oerpscenario team mailing list archive
-
c2c-oerpscenario team
-
Mailing list archive
-
Message #31006
[Bug 832601] Re: [OpenERP-11:auth.01] Unauthenticated access using direct RPC calls
If you've updated to 6.0.3 and still see the security notification in
your OpenERP home screen, you can remove it by logging in as an
administrator, going to Administration>Reporting>Audit>Client Logs,
press "Clear" to reset the filters, and then delete the related system
message.
** Visibility changed to: Public
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/832601
Title:
[OpenERP-11:auth.01] Unauthenticated access using direct RPC calls
Status in OpenERP Server:
Fix Released
Bug description:
OpenERP-11:auth.01 Security
Advisory
Title: Unauthenticated access using direct RPC calls
Component: openobject-server
Credits: Martin Collins
Affects: OpenERP v6.0.0 to 6.0.2
Corrected: 2011-04-28 (included in OpenERP v6.0.3)
I. Background
OpenERP server is accessible using RPC protocols (by default XML-RPC
on port 8069 and NET-RPC on 8070), not only for client access (GTK or
Web server) but also for any kind of direct inter-operation with
external systems.
Several remote services are available using this RPC interface, among
which the /object service that allows remote method calls on most ORM
objects (i.e. OpenERP business data objects).
II. Problem Description
A programming error was discovered in the authentication layer of
version 6.0 that could allow RPC requests directly sent to the /object
service to proceed without being properly authenticated.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
An attacker could remotely execute operations as any user of the
system, including the administrator, if using XML-RPC manually.
The OpenERP clients (GTK, Web) do perform a call to the /common/login
service to properly authenticate the user before executing further
remote operations. This prevents any possible unauthenticated access
when using the official clients.
In addition, the 'base_crypt' module that implements encrypted
passwords in OpenERP overrides the authentication layer, and does not
have this vulnerability. The 'users_ldap' module however, does not
prevent it.
OpenERP Online servers have been patched as of the day of the correction.
OpenERP Enterprise subscribers have been notified as of the day of the correction.
IV. Workaround
The vulnerability can be suppressed by installing the 'base_crypt'
module, because it replaces the part of the authentication layer that
is vulnerable. As a consequence, all passwords will be encrypted in
the database.
Systems who use LDAP authentication ('users_ldap' module) are also
vulnerable, but unfortunately the 'base_crypt' module is not currently
compatible with 'users_ldap'. No known workaround is available in that
case, so you should upgrade to OpenERO
V. Solution
Update to OpenERP 6.0.3 if possible, otherwise apply the patch
attached to this bug report.
To apply the patch, change into the root directory of the server
installation, then execute the patch command, such as:
patch -p0 -f < /path/to/the_patch_file.patch
VI. Correction details
Here are the details of the source code revision introducing the fix:
-------------------------------------------------------------
revno: 3414
revision-id: odo@xxxxxxxxxxx-20110428153901-0msblcxirkgskmsl
committer: Olivier Dony <odo@xxxxxxxxxxx>
branch nick: 6.0
timestamp: Thu 2011-04-28 17:39:01 +0200
modified:
bin/addons/base/res/res_user.py svn2bzr-97cf75fe6703794bb3ed13a00a5b17f0fa59d944
-------------------------------------------------------------
To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-server/+bug/832601/+subscriptions
