[7.0] users with write access on Partners can change any user's password if "Enable password reset from Login page" is enabled
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Odoo Server (MOVED TO GITHUB) |
Fix Committed
|
Critical
|
OpenERP's Framework R&D | ||
| OpenERP Community Backports (Server) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Through some testing I have discovered a potential security risk in OpenERP version 7. In order to trigger the risk, the following needs to be true:
- User administrator does not have an email-adres configured
- The option "Enable password reset from Login page" must be checked (True)
- There must be a user with the minimum amount of rights and the chatter at his disposal
Steps to reproduce:
1. Login as minimal user
2. Create an object of some kind (for example, a simple sales order)
3. Save the object
4. In the bottom right corner, if admin is a follower, remove him from the list
5. Click the "Add others" button
6. Search for administrator and click to select him
Because this account has no email-address filled in, the limited user will be presented with a form, explaining that the email-address is a required field. You may now enter any address desired.
7. Fill in an email-address and press save.
8. Discard the invitation and logout
9. On the login page, type name = 'admin' and click the "Reset password" button.
If configured correctly, you should now get an email to be able to reset the admin password to anything desired.
The OpenERP version I used is 7.
I used the following branches to test this scenario:
Server: 4900
Addons: 8881
Web: 3850
I don't think it is relevant, but I tested used Ubuntu server 12.04.
Related branches
- Ruchir Shukla(BizzAppDev) (community): Needs Fixing
- OpenERP Core Team: Pending requested
-
Diff: 13 lines (+3/-0)1 file modifiedopenerp/addons/base/res/res_partner.py (+3/-0)
- OpenERP Core Team: Pending requested
-
Diff: 25 lines (+12/-1)1 file modifiedopenerp/addons/base/res/res_partner.py (+12/-1)
| Ludo (Neobis) (ludo-neobis) wrote | #1 |
| Stefan Rijnhart (Opener) (stefan-opener) wrote | #2 |
| Olivier Dony (Odoo) (odo-openerp) wrote | #3 |
| Changed in openobject-server: | |
| assignee: | nobody → OpenERP's Framework R&D (openerp-dev-framework) |
| importance: | Undecided → Critical |
| milestone: | none → 7.0 |
| status: | New → Confirmed |
| information type: | Public → Public Security |
| summary: |
- Set admin email through chatter function + [7.0] users with write access on Partners can change any user's password + if "Enable password reset from Login page" is enabled |
| Dharmang Soni (OpenERP) (dpr-openerp) wrote | #4 |
| Changed in openobject-server: | |
| status: | Confirmed → In Progress |
| status: | In Progress → Fix Committed |
| Ruchir Shukla(BizzAppDev) (ruchir.shukla) wrote | #5 |
| Stefan Rijnhart (Opener) (stefan-opener) wrote | #6 |
| Ruchir Shukla(BizzAppDev) (ruchir.shukla) wrote | #7 |
Small update:
I found out that it is part of the checkbox "partner creation" on the user rights. As soon as that checkbox is ticked off (False), you are no longer able to modify the administrator's email address, even through chatter.
However, if only this box is checked, by default, then the limited account is able to alter information on any contact by simply removing the "customers" filter on the customers view. Now you are able to change different fields on for example the "admin" account.
I.m.h.o. this should be only for customers or suppliers.