This is a real security issue, and it's critical. Anyone, from anywhere, can take down the a tryton server in seconds / minutes by running the script in parallel.
Being able to write anonymously to a tryton table is a not a idea and is asking for trouble.
I am attaching some very basic metrics that I took briefly running a couple of instances of the program, just so we have a better idea of the impact / scale of the issue.
Please DO NOT release the PoC exploit script to the public, at least until we apply the attached patch to the server. That would be irresponsible. I sent this in confidence to be discussed among the security team only.
There are many Tryton and GNU Health implementations out there and I take this very seriously. I know you do too, so thank you for your understanding!
All the best,
|2016-03-08 17:47:19||meanmicio||set||messageid: <email@example.com>|
+ ced, bch, yangoon, nicoe, sharkcz, smarro, ajacoutot|
|2016-03-08 17:47:19||meanmicio||link||issue5375 messages|