I found a security hole in OpenERP that allows anybody with a login access to retrieve/change/delete any data in the system. I have an exploit script that retrieve or modify the admin password as proof of concept. The exploit works with XML-RPC, NET-RPC and also on eTiny and has been there since at least version 3.4.2 (I could not check previous versions because the source are no longer available).
I have written a patch that fix the hole. What is the way to report this kind of security issue, as it must be fixed and not expose every installation. ------------------------ Cédric Krier http://www.b2ck.com/ http://www.tryton.org/ -------------------- m2f -------------------- -- http://www.openobject.com/forum/viewtopic.php?p=42490#42490 -------------------- m2f --------------------
_______________________________________________ Tinyerp-users mailing list http://tiny.be/mailman2/listinfo/tinyerp-users
