Odoo Server (MOVED TO GITHUB)

User password should not be displayed/sent

Bug #632927 reported by Xavier ALT on 2010-09-08

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Odoo Server (MOVED TO GITHUB)	Fix Released	High	OpenERP's Framework R&D	Odoo Server (MOVED TO GITHUB) 6.0 "margaux"

Bug Description

Hi,

The user password is shown in cleartext in the Preference page source, this allow an attaquant to steal the password from the user.

Steps to reproduce:
1. Log in the web client
2. Go the Preferences (top-right button)
3. Show the page source, search for id="password" ... the <input/> element contain the value="PASSWORD".

The password should always be anonymized between the user and the web client.
A better approch could be:
Always send ********, because if the user want to change his password he need to re-type it entirely anyway. So if the web client received anything other than ******** then, and only then it should write the password to the server!.

(NB: This bug was reported by an external Security Consultant during an OpenERP security audit of one of our customer)

Related branches

lp:openobject-server

Revision history for this message

Xavier ALT (dex-phx) wrote on 2010-09-13:

GFIX-always-override-password-and-only-write-back-if-changed.patch Edit (1.2 KiB, text/plain)

Hi guys,

Here I propose a patch.

For every read the password is now overwritten by '********'. And the password is only written to the database if it's different from '********'.

Revision history for this message

Amit Mendapara (cristatus) wrote on 2010-09-14:

This is related to server as web client just renders the views provided by server. One possible solution is to, introduce two function fields in res.users to allow change of password. The original password field should read '******' as suggested in the given patch and the two function fields should be used to provide new password if given the current password from the original password field.

affects:

openobject-client-web → openobject-server

Stephane Wirtel (OpenERP) (stephane-openerp) on 2010-10-11

Changed in openobject-server:
milestone:	none → 5.0.15
assignee:	nobody → Stephane Wirtel (OpenERP) (stephane-openerp)
status:	New → Confirmed
importance:	Undecided → High

Olivier Dony (Odoo) (odo-openerp) on 2010-11-09

summary:	- web client 5.0: password stealing vulnerability + User password should not be displayed/sent
Changed in openobject-server:
assignee:	Stephane Wirtel (OpenERP) (stephane-openerp) → OpenERP's Framework R&D (openerp-dev-framework)
milestone:	5.0.15 → none

Vinay Rana (OpenERP) (vra-openerp) on 2010-12-24

security vulnerability:	yes → no
visibility:	private → public

Husen Daudi (husendaudi) on 2010-12-28

Changed in openobject-server:
status:	Confirmed → In Progress

Revision history for this message

Yogesh (SerpentCS) (yogesh-serpentcs) wrote on 2010-12-28:

Hello,

It has been fixed into https://code.launchpad.net/~openerp-dev/openobject-server/ysa-server-framework branch by:
Revision ID: <email address hidden>
Revno: 3040

Thanks.

Changed in openobject-server:
status:	In Progress → Invalid
status:	Invalid → Fix Released
status:	Fix Released → Won't Fix

Yogesh (SerpentCS) (yogesh-serpentcs) on 2010-12-28

Changed in openobject-server:
status:	Won't Fix → Fix Released

Yogesh (SerpentCS) (yogesh-serpentcs) on 2011-01-12

Changed in openobject-server:
milestone:	none → 6.0

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

GFIX-always-override-password-and-only-write-back-if-changed.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.