Перейти к содержимому
Чтобы взаимодействовать с сообществом, необходимо зарегистрироваться.
Все посты Люди Значки
Теги (Смотреть все)
odoo accounting v14 pos v15
Об этом форуме
Этот вопрос был отмечен
passwordauthentication
2 Ответы
11135 Представления
Аватар
HIGHCO - Nicolas Clavier

On the topic of clear text authentication, I notice that the browser's local storage (not cookies ahun) has records with : - key: Database_name``|last_password - value:PasswordInClearText`

If concerned by security, this could be a potential issue regarding access to openerp from public computers. I doubt an average user would know how to clear local storage after using a public computer for quick access to his platform.

How can we disable this functionality to get back to normal authentication / session expiry scheme ? (or am I missing something ??)

Аватар
Отменить
HIGHCO - Nicolas Clavier
Автор

Bump ! This is a potential major issue imho..

HIGHCO - Nicolas Clavier
Автор

After reading last initOS comment, I realised this could be a vulnerability and decided to report a security bug in lauchpad (private for now). I will post feedback here. Thank you.

Аватар
Nicolas Vanhoren (niv)
Лучший ответ

That was a feature that was useful for development (which is why it only worked in debug mode, not the normal user mode). But as I can see it is broken in recent versions. Since no one seems to complain about this, I decided it was cleaner to simply remove it in recent versions.

But please understand it is never safe to use a web site with a log in feature, including OpenERP, from a public computer. You have no guarantee that you session will expire so anyone can re-use it and do what he wants with your account. That's why you should train your users to always use the anonymous mode in such cases.

Аватар
Отменить
HIGHCO - Nicolas Clavier
Автор

You mean you are part of the core team and you removed the password storage from newer revisions on ?

HIGHCO - Nicolas Clavier
Автор

As to the public use, an internal user might do as much damage. We have developers amongst the users here... Anyway,could you point me to the revision that removes this hack ?

HIGHCO - Nicolas Clavier
Автор

Ok, found it here: http://bazaar.launchpad.net/~openerp/openerp-web/trunk/revision/3811 Thanks for the quick feedback !

Аватар
Torsten Francke
Лучший ответ

if you search in the code, you find: 

if (self.session.debug) {
     self.$("[name=password]").val(localStorage.getItem(self.selected_db + '|last_password') || '');
}

in addons/web/static/src/js/chrome.js

This if you have web modul debug mode enable, just disable:

http://maheshwarimayur.blogspot.de/2013/01/debug-mode-in-openerp-70-web-client.html

and then everythink is fine.

Аватар
Отменить
HIGHCO - Nicolas Clavier
Автор

Thanks for pointing out the source of this issue. I still consider the issue quite critical since there is no rule to give users access or not to "debug mode“. Therefore the "demo" user (or anyone else) can use debug mode, and simply leave his credentials on a computer. Even though it sounds far fetched, security as for long relied on the eventuality that no one would dig further ...

Torsten Francke

I see the problem you can send someone a prepared link with "&debug=" inside the url to activate the debug mode and later with some injection capture the password. The best way to fix problems open a ticket to support(at)openerp.com that it should be possible to deactivate debug mode in production environment

Похожие посты Ответы Просмотры Активность
How to login odoo passwordlessly with single url?
password authentication
Аватар
Аватар
1
июл. 25
2083
Password Reset Link redirect to account.odoo.com
password
Аватар
0
мая 25
2589
How to recover master password if I forgot it? Решено
password
Аватар
Аватар
Аватар
Аватар
Аватар
13
сент. 24
196634
Database specific Master password - does it exist? Решено
password
Аватар
Аватар
2
июл. 24
14002
AssertionError: The ID refers to an uninstalled module Решено
authentication
Аватар
Аватар
1
сент. 23
7241