Issue 5795

Any user can read the hashed password
Nosy list
ajacoutot, bch, ced, nicoe, pokoli, sharkcz, yangoon
Assigned to

Created on 2016-08-17.12:58:25 by ced, last changed 76 months ago by ced.


Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-31.12:27:52
News published.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-30.14:49:52
The releases have been published.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-25.19:55:28
Here is review32491003 for the announce.
Author: [hidden] (yangoon) Tryton translator
Date: 2016-08-19.10:31:23
Please use CVE-2016-1241 for this issue.
Author: [hidden] (yangoon) Tryton translator
Date: 2016-08-18.11:54:01
Proposed timeline:
2016-08-30 for release
2016-08-31 for news
Author: [hidden] (yangoon) Tryton translator
Date: 2016-08-17.13:07:32
Will do ASAP, back at home later this evening.
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-17.13:01:09
Here is review32441002 which fix the problem and add test.
I think we will need to publish a CVE, @yangoon could you manage one?
Author: [hidden] (ced) Tryton committer Tryton translator
Date: 2016-08-17.12:58:24
While reading [1], I was wondering if trytond was also affected.
Indeed series <=3.0 are not affected but r c9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field.
The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.

Date User Action Args
2016-08-31 12:27:52cedsetstatus: testing -> resolved
messages: + msg28227
2016-08-30 14:49:52cedsetmessages: + msg28213
2016-08-25 19:55:28cedsetreviews: 32441002 -> 32441002,32491003
messages: + msg27995
2016-08-19 10:31:23yangoonsetmessages: + msg27788
2016-08-18 11:54:01yangoonsetmessages: + msg27783
2016-08-17 13:07:33yangoonsetmessages: + msg27761
2016-08-17 13:01:09cedsetstatus: in-progress -> testing
reviews: 32441002
messages: + msg27757
keyword: + review
2016-08-17 12:58:25cedcreate