Message 24649

Author
meanmicio
Date
2016-03-08.17:47:18
Message id
24649

Content

Dear all
This is a real security issue, and it's critical. Anyone, from anywhere, can take down the a tryton server in seconds / minutes by running the script in parallel. 

Being able to write anonymously to a tryton table is a not a idea and is asking for trouble. 

I am attaching some very basic metrics that I took briefly running a couple of instances of the program, just so we have a better idea of the impact / scale of the issue.

Please DO NOT release the PoC exploit script to the public, at least until we apply the attached patch to the server. That would be irresponsible. I sent this in confidence to be discussed among the security team only.

There are many Tryton and GNU Health implementations out there and I take this very seriously. I know you do too, so thank you for your understanding!

All the best,
Luis

Files

File name Uploaded Type Details
tryton_login_exploit_metrics.pdf meanmicio, 2016-03-08.17:47:18 application/pdf view
History
Date User Action Args
2016-03-08 17:47:19meanmiciosetmessageid: <1457455639.82.0.990980850509.issue5375@tryton.org>
2016-03-08 17:47:19meanmiciosetrecipients: + ced, bch, yangoon, nicoe, sharkcz, smarro, ajacoutot
2016-03-08 17:47:19meanmiciolinkissue5375 messages
2016-03-08 17:47:18meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)