If you've updated to 6.0.3 and still see the security notification in your OpenERP home screen, you can remove it by logging in as an administrator, going to Administration>Reporting>Audit>Client Logs, press "Clear" to reset the filters, and then delete the related system message.
** Visibility changed to: Public -- You received this bug notification because you are a member of OpenERP CTP, which is subscribed to OpenERP Server. https://bugs.launchpad.net/bugs/832601 Title: [OpenERP-11:auth.01] Unauthenticated access using direct RPC calls Status in OpenERP Server: Fix Released Bug description: OpenERP-11:auth.01 Security Advisory Title: Unauthenticated access using direct RPC calls Component: openobject-server Credits: Martin Collins Affects: OpenERP v6.0.0 to 6.0.2 Corrected: 2011-04-28 (included in OpenERP v6.0.3) I. Background OpenERP server is accessible using RPC protocols (by default XML-RPC on port 8069 and NET-RPC on 8070), not only for client access (GTK or Web server) but also for any kind of direct inter-operation with external systems. Several remote services are available using this RPC interface, among which the /object service that allows remote method calls on most ORM objects (i.e. OpenERP business data objects). II. Problem Description A programming error was discovered in the authentication layer of version 6.0 that could allow RPC requests directly sent to the /object service to proceed without being properly authenticated. III. Impact Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit An attacker could remotely execute operations as any user of the system, including the administrator, if using XML-RPC manually. The OpenERP clients (GTK, Web) do perform a call to the /common/login service to properly authenticate the user before executing further remote operations. This prevents any possible unauthenticated access when using the official clients. In addition, the 'base_crypt' module that implements encrypted passwords in OpenERP overrides the authentication layer, and does not have this vulnerability. The 'users_ldap' module however, does not prevent it. OpenERP Online servers have been patched as of the day of the correction. OpenERP Enterprise subscribers have been notified as of the day of the correction. IV. Workaround The vulnerability can be suppressed by installing the 'base_crypt' module, because it replaces the part of the authentication layer that is vulnerable. As a consequence, all passwords will be encrypted in the database. Systems who use LDAP authentication ('users_ldap' module) are also vulnerable, but unfortunately the 'base_crypt' module is not currently compatible with 'users_ldap'. No known workaround is available in that case, so you should upgrade to OpenERO V. Solution Update to OpenERP 6.0.3 if possible, otherwise apply the patch attached to this bug report. To apply the patch, change into the root directory of the server installation, then execute the patch command, such as: patch -p0 -f < /path/to/the_patch_file.patch VI. Correction details Here are the details of the source code revision introducing the fix: ------------------------------------------------------------- revno: 3414 revision-id: [email protected] committer: Olivier Dony <[email protected]> branch nick: 6.0 timestamp: Thu 2011-04-28 17:39:01 +0200 modified: bin/addons/base/res/res_user.py svn2bzr-97cf75fe6703794bb3ed13a00a5b17f0fa59d944 ------------------------------------------------------------- To manage notifications about this bug go to: https://bugs.launchpad.net/openobject-server/+bug/832601/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openerp-dev-gtk Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-dev-gtk More help : https://help.launchpad.net/ListHelp
