← Back to team overview

openerp-community-reviewer team mailing list archive

  1. openerp-community-reviewer team
  2. Mailing list archive
  3. Message #06545

[Bug 1157839] Re: [7.0] users with write access on Partners can change any user's password if "Enable password reset from Login page" is enabled

  Thread PreviousDate PreviousThread Next 
** Also affects: ocb-server
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenERP
Community Backports, which is subscribed to OpenERP Community Backports
(Server).
https://bugs.launchpad.net/bugs/1157839

Title:
  [7.0] users with write access on Partners can change any user's
  password if "Enable password reset from Login page" is enabled

Status in OpenERP Community Backports (Server):
  New
Status in OpenERP Server:
  Fix Committed

Bug description:
  Through some testing I have discovered a potential security risk in
  OpenERP version 7.  In order to trigger the risk, the following needs
  to be true:

  - User administrator does not have an email-adres configured
  - The option "Enable password reset from Login page" must be checked (True)
  - There must be a user with the minimum amount of rights and the chatter at his disposal

  Steps to reproduce:

  1. Login as minimal user
  2. Create an object of some kind (for example, a simple sales order)
  3. Save the object
  4. In the bottom right corner, if admin is a follower, remove him from the list
  5. Click the "Add others" button
  6. Search for administrator and click to select him
  Because this account has no email-address filled in, the limited user will be presented with a form, explaining that the email-address is a required field. You may now enter any address desired.
  7. Fill in an email-address and press save.
  8. Discard the invitation and logout
  9. On the login page, type name = 'admin' and click the "Reset password" button.

  If configured correctly, you should now get an email to be able to
  reset the admin password to anything desired.

  The OpenERP version I used is 7.

  I used the following branches to test this scenario:
  Server: 4900
  Addons: 8881
  Web: 3850

  I don't think it is relevant, but I tested used Ubuntu server 12.04.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ocb-server/+bug/1157839/+subscriptions
  Thread PreviousDate PreviousThread Next