** Changed in: openobject-server
Milestone: None => 6.0
--
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.
https://bugs.launchpad.net/bugs/632927
Title:
User password should not be displayed/sent
Status in OpenObject Server:
Fix Released
Bug description:
Hi,
The user password is shown in cleartext in the Preference page source,
this allow an attaquant to steal the password from the user.
Steps to reproduce:
1. Log in the web client
2. Go the Preferences (top-right button)
3. Show the page source, search for id="password" ... the <input/> element
contain the value="PASSWORD".
The password should always be anonymized between the user and the web client.
A better approch could be:
Always send ********, because if the user want to change his password he
need to re-type it entirely anyway. So if the web client received anything
other than ******** then, and only then it should write the password to the
server!.
(NB: This bug was reported by an external Security Consultant during
an OpenERP security audit of one of our customer)
_______________________________________________
Mailing list: https://launchpad.net/~c2c-oerpscenario
Post to : [email protected]
Unsubscribe : https://launchpad.net/~c2c-oerpscenario
More help : https://help.launchpad.net/ListHelp
