openerp-india team mailing list archive

Thread
Date

[Bug 1196847] Re: [6.0/6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code execution

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1196847@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 Sep 2013 04:17:26 -0000
Reply-to: Bug 1196847 <1196847@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for OpenERP Addons because there has been no activity for 60
days.]

** Changed in: openobject-addons
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1196847

Title:
  [6.0/6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code
  execution

Status in OpenERP Addons (modules):
  Expired

Bug description:
  The Warranty information retrieval function get_sys_logs is a major vulnerability.
  The function is called by model "publisher_warranty.contract" function update_notification.

  This function is called on a weekly basis using this cron definition:

          <record id="ir_cron_module_update_notification" model="ir.cron">
              <field name="name">Update Notification</field>
              <field eval="True" name="active" />
              <field name="user_id" ref="base.user_root" />
              <field name="interval_number">1</field>
              <field name="interval_type">weeks</field>
              <field name="numbercall">-1</field>
              <field eval="False" name="doall" />
              <field eval="'publisher_warranty.contract'" name="model" />
              <field eval="'update_notification'" name="function" />
              <field eval="'(None,)'" name="args" />
              <field name="priority">1000</field>
          </record>

  This cron is explicitly silenced in log:
                  if cron_mode: # we don't want to see any stack trace in cron

  Except the fact that the cron send data to OpenERP SA silently.

  The get_sys_logs function execute arbitrary code from an URL:

  url = config.get("publisher_warranty_url")

      uo = urllib2.urlopen(url, arguments_raw, **add_arg)
      result = {}
      try:
          submit_result = uo.read()
          result = safe_eval(submit_result)
      finally:
          uo.close()
      return result

  If someone corrupt the source server or DNS, code can be send to all
  OpenERP instances opened to Internet.

  Regards

  Nicolas

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1196847/+subscriptions