User password should not be displayed/sent
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Server (MOVED TO GITHUB) |
Fix Released
|
High
|
OpenERP's Framework R&D |
Bug Description
Hi,
The user password is shown in cleartext in the Preference page source, this allow an attaquant to steal the password from the user.
Steps to reproduce:
1. Log in the web client
2. Go the Preferences (top-right button)
3. Show the page source, search for id="password" ... the <input/> element contain the value="PASSWORD".
The password should always be anonymized between the user and the web client.
A better approch could be:
Always send ********, because if the user want to change his password he need to re-type it entirely anyway. So if the web client received anything other than ******** then, and only then it should write the password to the server!.
(NB: This bug was reported by an external Security Consultant during an OpenERP security audit of one of our customer)
Related branches
Changed in openobject-server: | |
milestone: | none → 5.0.15 |
assignee: | nobody → Stephane Wirtel (OpenERP) (stephane-openerp) |
status: | New → Confirmed |
importance: | Undecided → High |
summary: |
- web client 5.0: password stealing vulnerability + User password should not be displayed/sent |
Changed in openobject-server: | |
assignee: | Stephane Wirtel (OpenERP) (stephane-openerp) → OpenERP's Framework R&D (openerp-dev-framework) |
milestone: | 5.0.15 → none |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in openobject-server: | |
status: | Confirmed → In Progress |
Changed in openobject-server: | |
status: | Won't Fix → Fix Released |
Changed in openobject-server: | |
milestone: | none → 6.0 |
Hi guys,
Here I propose a patch.
For every read the password is now overwritten by '********'. And the password is only written to the database if it's different from '********'.