openerp-india team mailing list archive

Thread
Date

[Bug 1130712] [NEW] Anonymous user can DELETE filters when debug GET parameter is activated

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1130712@xxxxxxxxxxxxxxxxxx>
Date: Mon, 25 Feb 2013 11:22:29 -0000
Reply-to: Bug 1130712 <1130712@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

When the public portal functionality is activated, the anonymous user
can CREATE/DELETE defined filters from the system.

How to reproduce:

1. Activate the public portal functionality
2. specify the debug GET parameter on the url
3. in the debug menu, click 'Manage filters'
4. clear the automatically applied filters (all filters are shown)
5. Select any of the filters and delete it.

Expected behaviour: No display of filters at all.

** Affects: openobject-server
     Importance: Undecided
         Status: New

-- 
Anonymous user can DELETE filters when debug GET parameter is activated
https://bugs.launchpad.net/bugs/1130712
You received this bug notification because you are a member of OpenERP Indian Team, which is subscribed to OpenERP Server.