openerp-india team mailing list archive

Thread
Date

[Bug 1014759] Re: [6.0][6.1] Stock module contains SQL injection vulnerability

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <1014759@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Jul 2012 09:55:19 -0000
Reply-to: Bug 1014759 <1014759@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Making public, non-disclosure period has expired.

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1014759

Title:
  [6.0][6.1] Stock module contains SQL injection vulnerability

Status in OpenERP Addons (modules):
  Fix Released

Bug description:
  == Summary ==

  The Warehouse Management Module (stock) is vulnerable to SQL injection
  attacks in the `context' parameter of the `get_product_available'
  method, in the `product.product' model.

  This vulnerability is present in the following OpenERP versions:
  - OpenERP 6.0.3 and later
  - OpenERP 6.1 (all versions)

  
  == Impact ==

  Access Vector: Network exploitable
  Access Complexity: Medium
  Authentication: Required to exploit

  An attacker could pass a specially-crafted `context' parameter to the
  vulnerable function, possibly executing arbitrary SQL queries in the
  database. Such queries could alter business data or security related
  information such as user passwords and access rights.

  Exploiting this vulnerability requires:
  - remote network access to the vulnerable OpenERP system
  - the credentials (user and password) of a user having access to  Warehouse Management data

  We are not aware of any malicious use if this vulnerability.

  
  == Workaround ==

  No known workaround is available, but systems without the stock module installed are not vulnerable.
  Systems running versions earlier than 6.0.3 are not vulnerable. 
  OpenERP Online servers have been patched as of the day of discovery.

  
  == Solution ==

  Apply the attached patch, or upgrade to the latest OpenERP nightly
  builds for your series, as found on http://www.openerp.com/downloads
  or http://nightly.openerp.com, dated after 2012-06-19.

  To apply the patch, change into the root directory of the addons installation, then execute the patch command, such as:
     patch -p0 -f < /path/to/the_patch_file.patch

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1014759/+subscriptions