Hello Eduard, Indeed, the current GTK and Web clients are vulnerable to this type of specially crafted NET-RPC payload. Fortunately this is mitigated by the fact that modified server/addons are required to be able to exploit this, so users are safe as long as they connect to trusted servers, which is usually the case in business contexts or for SaaS contexts (unless a man-in-the-middle attack is involved as well)
Users should also always keep in mind that NET-RPC itself is not a secure protocol, and should be used only in local networks if security is a concern. The fix suggested by Stephane can be applied on Web/GTK clients of all versions, for users who want to apply it on their client directly Thanks a lot for reporting! -- You received this bug notification because you are a member of C2C OERPScenario, which is subscribed to the OpenERP Project Group. https://bugs.launchpad.net/bugs/671926 Title: Remote code execution Status in OpenObject GTK Client: Confirmed Status in OpenObject GTK Client 5.0 series: Confirmed Status in OpenObject Web Client: Confirmed Status in OpenObject Web Client 5.0 series: Confirmed Bug description: It's possible to execute arbritrary code on client using net-rpc (pickle protocol) see http://nadiana.com/python-pickle-insecure If you use the client to connect to some demo server and this demo server is malicious, it can send malicious code which is executed in client side. I attach a exploit server who sends code to execute to client. Run a ls -l and redirect the output to proof_of_exploit.txt file. This bug was fixed in the server, but not in the client. Affects versions 4.2, 5.X and 6.X _______________________________________________ Mailing list: https://launchpad.net/~c2c-oerpscenario Post to : [email protected] Unsubscribe : https://launchpad.net/~c2c-oerpscenario More help : https://help.launchpad.net/ListHelp
