Message 24693

Message id


Hello Sergi
On Wed, 09 Mar 2016 13:45:59 +0100
Sergi Almacellas Abellana <> wrote:

> Sergi Almacellas Abellana <> added the comment:
> Hi All, 
> After carefully reading all the issue, here is my opinion. 
> I don't think it's the scope of trytond to fight against DDoS attack,
> so for me no issue at all. I want to propose Reverse nginx proxy [1]
> as another option to fight against DDoS attacks.
I agree with you, but this is another topic. As I said, I am the
first that suggests *complementary* tools to harden the security, but
that does not mean to take care of our own server internal security

> About the proposed patch it does not solve the DDoS attack 
It solves *this* vulnerability, because it eliminates the problem on
allowing anonymous, unprotected writing the invalid login
information at DB level, not being able to deleting those records,
doing a search on that table at each login... that takes a lot of
resources (CPU, DB, IO, ...). 

> as it give an easier way to brute force some user password>which will
> ease the attacker the possibility to obtain a valid user/password. 

We should discuss authentication methods in another thread. It's
not related to this vulnerability. I already made some comments /
suggestions on hardening the server authentication on

Date User Action Args
2016-03-09 15:28:01meanmiciosetrecipients: + pokoli
2016-03-09 15:28:00meanmiciolinkissue5375 messages
2016-03-09 15:27:59meanmiciocreate

Showing 10 items. Show all history (warning: this could be VERY long)