openerp-expert-framework team mailing list archive

Thread
Date

OpenERP 5.0.11

To: openerp-community@xxxxxxxxxxxxxxxxxxx, openerp-expert-accounting <openerp-expert-accounting@xxxxxxxxxxxxxxxxxxx>, openerp-expert-framework@xxxxxxxxxxxxxxxxxxx, openerp-community-leaders@xxxxxxxxxxxxxxxxxxx, tinyerp-announce@xxxxxxx, Tiny ERP official partners <partners@xxxxxxx>, openerp-expert-ergonomy@xxxxxxxxxxxxxxxxxxx, openerp-expert-production@xxxxxxxxxxxxxxxxxxx
From: "Stéphane Wirtel, OpenERP" <stw@xxxxxxxxxxx>
Date: Tue, 08 Jun 2010 11:50:55 +0200
Organization: OpenERP S.A.
Reply-to: stw@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100423 Thunderbird/3.0.4

We have the pleasure to announce a new revision of OpenERP 5.0.

This release contains lots of improvements and two important security
fixes.

1. OpenERP-2010-01-auth
=======================

I.   Background
---------------

OpenERP server is accessible using RPC protocols (by default XML-RPC on
port 8069 and NET-RPC on 8070), not only for client access (GTK or Web
server) but also for any kind of direct inter-operation with external
systems.

Several remote services are available using this RPC interface, among
which the /object service that allows remote method calls on most ORM
objects (i.e. OpenERP business data objects).


II.  Problem Description
------------------------

A programming error recently introduced in the authentication layer
could allow RPC requests directly sent to the /object service to proceed
without being properly authenticated.


III. Impact
-----------

An attacker could remotely execute operations as any user of the system,
including the administrator, if using XML-RPC manually.

The OpenERP clients (GTK, Web) do perform a call to the /common/login
service to properly authenticate the user before executing further
remote operations. This prevents any possible unauthenticated access
when using the graphical clients.

In addition, the 'users_ldap' module that implements LDAP authentication
in OpenERP overrides the authentication layer, suppressing this
vulnerability.


IV.  Workaround
---------------

No known workaround is available, but systems with the 'users_ldap'
module installed are not vulnerable.

Systems running versions earlier than 5.0.7 or later than 5.0.10
(excluded) are also not vulnerable. The trunk version (5.2/6.0) is not
vulnerable either.

V.   Solution
-------------

Apply the attached patch, or upgrade to OpenERP 5.0.11 which include the fix (2010-01-auth.patch).

To apply the patch, change into the root directory of the server
installation, then execute the patch command, such as:
   patch -p0 -f < /path/to/the_patch_file.patch


2. SQL Injections
=================

Some sql queries were using python format string, instead of the psycopg2 quoting system,
that could lead to sql injection. We reviewed all the the sql queries to use psycopg
parametrized queries instead of python format strings.

You will find the Windows Installers and the tarball archives on OpenERP download page.

Tarballs:
=========
  * Server: http://openerp.com/download/stable/source/openerp-server-5.0.11.tar.gz
  * Client: http://openerp.com/download/stable/source/openerp-client-5.0.11.tar.gz
  * Web: http://openerp.com/download/stable/source/openerp-web-5.0.11.tar.gz

Windows Installers:
===================
  * Server: http://openerp.com/download/stable/win32/openerp-server-setup-5.0.11.exe
  * Client: http://openerp.com/download/stable/win32/openerp-client-setup-5.0.11.exe
  * Web: http://openerp.com/download/stable/win32/openerp-web-setup-5.0.11.exe
  * AllInOne: http://openerp.com/download/stable/win32/openerp-allinone-setup-5.0.11.exe


You can contribute to OpenERP on LaunchPad.

* OpenERP Download page: http://openerp.com/downloads.html
* OpenObject Project on LaunchPad: https://launchpad.net/openobject
* Translations: https://translations.launchpad.net/openobject
* Bug Reporting: https://bugs.launchpad.net/openobject/+filebug
* Changelog:
  * Server: http://bazaar.launchpad.net/~openerp/openobject-server/5.0/annotate/head:/doc/Changelog
  * Client: http://bazaar.launchpad.net/~openerp/openobject-client/5.0/annotate/head:/doc/Changelog
  * Web: http://bazaar.launchpad.net/~openerp/openobject-client-web/5.0/annotate/head:/doc/ChangeLog

For more information, take a look at the wiki and the forum.

The OpenERP Team,

-- 
Stephane Wirtel - "As OpenERP is OpenSource, please feel free to contribute."
Quality/Release Manager
Technical Project Manager
OpenERP S.A.
Chaussee de Namur, 40
B-1367 Grand-Rosière
Tel: +32.81.81.37.00
Web: http://www.openerp.com
Planet: http://www.openerp.com/planet/
Blog: http://stephane-wirtel-at-tiny.blogspot.com

=== modified file 'bin/service/security.py'
--- bin/service/security.py	2009-12-11 11:03:12 +0000
+++ bin/service/security.py	2010-06-02 14:43:40 +0000
@@ -45,7 +45,7 @@
 
 def check(db, uid, passwd):
     if not passwd:
-        return False
+        raise Exception('AccessDenied')
     cached_pass = _uid_cache.get(db, {}).get(uid)
     if (cached_pass is not None) and cached_pass == passwd:
         return True