** Visibility changed to: Public ** This bug is no longer flagged as a security vulnerability
-- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/632927 Title: User password should not be displayed/sent Status in OpenObject Server: Confirmed Bug description: Hi, The user password is shown in cleartext in the Preference page source, this allow an attaquant to steal the password from the user. Steps to reproduce: 1. Log in the web client 2. Go the Preferences (top-right button) 3. Show the page source, search for id="password" ... the <input/> element contain the value="PASSWORD". The password should always be anonymized between the user and the web client. A better approch could be: Always send ********, because if the user want to change his password he need to re-type it entirely anyway. So if the web client received anything other than ******** then, and only then it should write the password to the server!. (NB: This bug was reported by an external Security Consultant during an OpenERP security audit of one of our customer) _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
