Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0004080Openbravo ERPC. Securitypublic2008-06-19 16:582008-06-19 17:07
Reporterpjuvara 
Assigned Toalostale 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionno change required 
PlatformOS5OS Version
Product Version2.35 
Target VersionFixed in Version2.40alpha-r3 
Merge Request Status
Review Assigned To
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0004080: Openbravo database schame has dba privileges
DescriptionThe Openbravo installation grants to the Oracle user housing the Openbravo schema (TAD by default) DBA privileges.

This is a security vulnerability because if hackers manage to get access to this user, they will gain control of the full database.

This is a particularly serious concern for those customers who deploy Openbravo in an Oracle database that houses other applications as well.
Steps To ReproduceConnect to Oracle and verify privileges.
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
blocks defect 00001242.40 closed alostale Openbravo database schame has dba privileges 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2008-06-19 16:58cromeroNew Issue
2008-06-19 16:58cromeroAssigned To => alostale
2008-06-19 16:58cromeroStatusnew => scheduled
2008-06-19 16:58cromeroResolutionopen => open
2008-06-19 16:58cromeroFixed in Version => 2.40alpha-r3
2008-06-19 17:07pjuvaraStatusscheduled => closed
2008-06-19 17:07pjuvaraNote Added: 0007877
2008-06-19 17:07pjuvaraResolutionopen => no change required

Notes
(0007877)
pjuvara   
2008-06-19 17:07   
This issue is too risky to be backported and it introduces too big of a change to existing customers. Will only be fixed in the next release (2.40).