[Openerp-dev-web] [Bug 671926] Re: NET-RPC client-side stack should sanitize pickled data

Mon, 07 Feb 2011 09:56:58 -0800 

@Open Net Sàrl:
I beg to differ. If you read the description and comments carefully, you will 
see that:
1. NET-RPC is not a secure protocol, so it cannot be compared to secure XML-RPC 
at all. This vulnerability has nothing to do with the transmission of 
unencrypted data.
2. This NET-RPC vulnerability is not exploitable if you are connecting only to 
trusted servers. Presumably, production end-users are always connected to 
trusted production servers, so they are not exposed to this.
This perhaps explains why this bugs looks much more critical than it really is.

If you are connecting to non-trusted servers, you are probably not sending 
sensitive data, so you should be fine using unencrypted XML-RPC.
Now if you really want to use Secure XML-RPC and are in a Windows-only world, 
you might want to start by analyzing the problem in bug 673775...  you might be 
able to help find a workaround or even a fix.

-- 
You received this bug notification because you are a member of OpenERP
SA's Web Client R&D, which is a bug assignee.
https://bugs.launchpad.net/bugs/671926

Title:
  NET-RPC client-side stack should sanitize pickled data

Status in OpenERP GTK Client:
  Confirmed
Status in OpenERP GTK Client 5.0 series:
  Confirmed
Status in OpenERP Web Client:
  Confirmed
Status in OpenERP Web Client 5.0 series:
  Confirmed

Bug description:
  It's possible to execute arbritrary code on client using net-rpc
  (pickle protocol) see http://nadiana.com/python-pickle-insecure

  If you use the client to connect to some demo server and this demo
  server is malicious, it can send malicious code which is executed in
  client side.

  I attach a exploit server who sends code to execute to client. Run a
  ls -l and redirect the output to proof_of_exploit.txt file.

  This bug was fixed in the server, but not in the client.
  Affects versions 4.2, 5.X and 6.X



_______________________________________________
Mailing list: https://launchpad.net/~openerp-dev-web
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~openerp-dev-web
More help   : https://help.launchpad.net/ListHelp

Reply via email to