Comment 5 for bug 671926
Revision history for this message
| Olivier Dony (Odoo) (odo-openerp) wrote Re: Remote code execution | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Hello Eduard,
Indeed, the current GTK and Web clients are vulnerable to this type of specially crafted NET-RPC payload. Fortunately this is mitigated by the fact that modified server/addons are required to be able to exploit this, so users are safe as long as they connect to trusted servers, which is usually the case in business contexts or for SaaS contexts (unless a man-in-the-middle attack is involved as well)
Users should also always keep in mind that NET-RPC itself is not a secure protocol, and should be used only in local networks if security is a concern.
The fix suggested by Stephane can be applied on Web/GTK clients of all versions, for users who want to apply it on their client directly
Thanks a lot for reporting!