Message 24649

Message id


Dear all
This is a real security issue, and it's critical. Anyone, from anywhere, can take down the a tryton server in seconds / minutes by running the script in parallel. 

Being able to write anonymously to a tryton table is a not a idea and is asking for trouble. 

I am attaching some very basic metrics that I took briefly running a couple of instances of the program, just so we have a better idea of the impact / scale of the issue.

Please DO NOT release the PoC exploit script to the public, at least until we apply the attached patch to the server. That would be irresponsible. I sent this in confidence to be discussed among the security team only.

There are many Tryton and GNU Health implementations out there and I take this very seriously. I know you do too, so thank you for your understanding!

All the best,


File name Uploaded Type Details
tryton_login_exploit_metrics.pdf meanmicio, 2016-03-08.17:47:18 application/pdf view
Date User Action Args
2016-03-08 17:47:19meanmiciosetmessageid: <>
2016-03-08 17:47:19meanmiciosetrecipients: + ced, bch, yangoon, nicoe, sharkcz, smarro, ajacoutot
2016-03-08 17:47:19meanmiciolinkissue5375 messages
2016-03-08 17:47:18meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)