Odoo Server (MOVED TO GITHUB)

Bug #1013236
Comment #9

Comment 9 for bug 1013236

Revision history for this message

Walter Mantovani (walt-mantovani) wrote on 2013-10-17:

Hello everyone.

I know that this topic is a well discussed issue and this isn't a bug but a requested feature.

BUT... the security lack is evident.

If I try to create a DB with a wrong password, i got the "Client Traceback" that gives me some potentially reserved informations about the system. Overall, just with the login page, I could obtain the following informations:

– OS;
> and eventually the distro;
– OpenERP version;
– method of installation (by folders' path and name);
– number and names of the existing database (e.g. info about company's projects or divisions)

Why this informations should be public by default ?!?!

If the sysadmin installed the OpenERP in "official" way and path, no much informations are available.
BUT IF the sysadmin put the OpenERP files in customized paths, some relevant informations could be revealed.

Not to mention to the fact that googling something like:
>> openerp "Manage Databases" Username "log in" "Powered by" <<
we have a big list (about 3000) of OpenERP installation over the internet. If I know a vulnerability I could going to looking for an affected installation (having that particular vulnerability).

It is evident the priority to implement the possibility to easily customize the login screen access.
Here, some possible solutions:

– option to easily rename the text in the login screen (just to divert public bots);
– option to easily remove the "managge db" function (not just the link or the "db list");
– option to protect the login screen with a further authentication (even just a simple http-authentication).
– option to restrict the access to the "manage db" function, filtering by the IP address of the client (e.g. localhost; single ip; range of ip; no filter).

I'm new to OpenERP but... are we sure that the "Client Traceback" functionality could not be used to retrieve other sensible informations?

Mine did not want to be absolutely critical to the excellent work that OpenERP coders did, but rather an open stimulus for reflection on a security issue.

Thank you all!

Hello everyone.

I know that this topic is a well discussed issue and this isn't a bug but a requested feature.

BUT...  the security lack is evident.

– OS;
   > and eventually the distro;
– OpenERP version;
– method of installation (by folders' path and name);
– number and names of the existing database (e.g. info about company's projects or divisions)

Why this informations should be public by default ?!?!

Not to mention to the fact that googling something like:
>>  openerp "Manage Databases" Username "log in" "Powered by" <<
we have a big list (about 3000) of OpenERP installation over the internet. If I know a vulnerability I could going to looking for an affected installation (having that particular vulnerability).

It is evident the priority to implement the possibility to easily customize the login screen access.
Here, some possible solutions:

I'm new to OpenERP but... are we sure that the "Client Traceback" functionality could not be used to retrieve other sensible informations?

Mine did not want to be absolutely critical to the excellent work that OpenERP coders did, but rather an open stimulus for reflection on a security issue.

Thank you all!