Making public, non-disclosure period has expired. ** Visibility changed to: Public
-- You received this bug notification because you are a member of OpenERP Indian Team, which is subscribed to OpenERP Addons. https://bugs.launchpad.net/bugs/1014759 Title: [6.0][6.1] Stock module contains SQL injection vulnerability Status in OpenERP Addons (modules): Fix Released Bug description: == Summary == The Warehouse Management Module (stock) is vulnerable to SQL injection attacks in the `context' parameter of the `get_product_available' method, in the `product.product' model. This vulnerability is present in the following OpenERP versions: - OpenERP 6.0.3 and later - OpenERP 6.1 (all versions) == Impact == Access Vector: Network exploitable Access Complexity: Medium Authentication: Required to exploit An attacker could pass a specially-crafted `context' parameter to the vulnerable function, possibly executing arbitrary SQL queries in the database. Such queries could alter business data or security related information such as user passwords and access rights. Exploiting this vulnerability requires: - remote network access to the vulnerable OpenERP system - the credentials (user and password) of a user having access to Warehouse Management data We are not aware of any malicious use if this vulnerability. == Workaround == No known workaround is available, but systems without the stock module installed are not vulnerable. Systems running versions earlier than 6.0.3 are not vulnerable. OpenERP Online servers have been patched as of the day of discovery. == Solution == Apply the attached patch, or upgrade to the latest OpenERP nightly builds for your series, as found on http://www.openerp.com/downloads or http://nightly.openerp.com, dated after 2012-06-19. To apply the patch, change into the root directory of the addons installation, then execute the patch command, such as: patch -p0 -f < /path/to/the_patch_file.patch To manage notifications about this bug go to: https://bugs.launchpad.net/openobject-addons/+bug/1014759/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openerp-india Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-india More help : https://help.launchpad.net/ListHelp
