Message 27756

Author
ced
Date
2016-08-17.12:58:24
Message id
27756

Content

While reading [1], I was wondering if trytond was also affected.
Indeed series <=3.0 are not affected but r c9be44cd05e1 removed the protection by mistake. The new password_hash field did not received the same hiding treatment as the password field.
The exploitation is quite difficult because of the existing protections against such leak. The protections are the usage of strong hash (bcrypt and sha1) and the random salt.

[1] https://github.com/odoo/odoo/issues/13175
History
Date User Action Args
2016-08-17 12:58:25cedsetrecipients: + bch, yangoon, nicoe, sharkcz, pokoli, ajacoutot
2016-08-17 12:58:25cedsetmessageid: <1471431505.24.0.547730848917.issue5795@tryton.org>
2016-08-17 12:58:25cedlinkissue5795 messages
2016-08-17 12:58:24cedcreate