Anonymous | Login

Project:

News | My View | View Issues | Roadmap | Summary

View Issue Details[ Jump to Notes ]

[ Issue History ] [ Print ]

ID

0004078

Type

Category

Severity

Reproducibility

Date Submitted

Last Update

defect

[Openbravo ERP] A. Platform

major

have not tried

2008-06-19 16:47

2008-08-21 19:29

Reporter

plujan

View Status

public

Assigned To

cromero

Priority

normal

Resolution

fixed

Fixed in Version

pi

Status

closed

Fix in branch

Fixed in SCM revision

Projection

none

ETA

none

Target Version

OS

Windows

Database

PostgreSQL

Java version

don't know

OS Version

XPsp2

Database version

8.2.7

Ant version

don't know

Product Version

2.40alpha-r3

SCM revision

Merge Request Status

Review Assigned To

OBNetwork customer

No

Web browser

Modules

Core

Support ticket

Regression level

Regression date

Regression introduced in release

Regression introduced by commit

Triggers an Emergency Pack

No

Summary

0004078: Database user on PostgreSQL should not have SuperUser privileges

Description

Database user on PostgreSQL should not have SuperUser privileges

This is a security vulnerability because if hackers manage to get access to this user, they will gain control of the full database.

This is a particularly serious concern for those customers who deploy Openbravo in an PostgreSQL database that houses other applications as well.

Steps To Reproduce

Connect to PostgreSQL and verify privileges.

Tags

No tags attached.

Relationships [ Relation Graph ] [ Dependency Graph ]

related to

defect

2.40

closed

Openbravo database schame has dba privileges

Notes
(0007903) svnbot (viewer) 2008-06-20 11:46	Repository: openbravo Revision: 5240 Author: cromeroherrero Date: 2008-06-20 11:46:42 +0200 (Fri, 20 Jun 2008) Fixed bug 4078: Database user on PostgreSQL should not have SuperUser privileges Now User is created without SuperUser priviledges. --- U trunk/src-db/database/build.xml --- https://dev.openbravo.com/websvn/openbravo/?rev=5240&sc=1 [^]

(0007909) svnbot (viewer) 2008-06-20 12:45	Repository: openbravo Revision: 5245 Author: cromeroherrero Date: 2008-06-20 12:45:02 +0200 (Fri, 20 Jun 2008) Fixed bug 4078: Database user on PostgreSQL should not have SuperUser privileges * Reverted modification since SuperUser priviledges are needed to disable constraints (used in delete_client process). --- U trunk/src-db/database/build.xml --- https://dev.openbravo.com/websvn/openbravo/?rev=5245&sc=1 [^]

(0007910) cromero (viewer) 2008-06-20 12:56	A new feature request has been added in order to solve this bug: https://issues.openbravo.com/view.php?id=4099 [^] While Delete_Client needs SuperUser privileges to disable/enable constraints, the role needs to be created with that privileges.

Issue History
Date Modified	Username	Field	Change
2008-06-19 16:47	plujan	New Issue
2008-06-19 16:47	plujan	Assigned To	=> cromero
2008-06-19 16:47	plujan	sf_bug_id	0 => 1997918
2008-06-19 16:47	plujan	OBNetwork customer	=> No
2008-06-19 16:58	cromero	Relationship added	related to 0000124
2008-06-19 17:01	cromero	Assigned To	cromero => marvintm
2008-06-19 17:01	cromero	Status	new => scheduled
2008-06-20 11:15	cromero	Assigned To	marvintm => cromero
2008-06-20 11:46	svnbot	Checkin
2008-06-20 11:46	svnbot	Note Added: 0007903
2008-06-20 11:46	svnbot	Status	scheduled => resolved
2008-06-20 11:46	svnbot	Resolution	open => fixed
2008-06-20 11:46	svnbot	svn_revision	=> 5240
2008-06-20 12:45	svnbot	Checkin
2008-06-20 12:45	svnbot	Note Added: 0007909
2008-06-20 12:45	svnbot	svn_revision	5240 => 5245
2008-06-20 12:56	cromero	Note Added: 0007910
2008-08-21 19:29	psarobe	Regression testing	=> No
2008-08-21 19:29	psarobe	Status	resolved => closed
2008-08-21 19:29	psarobe	Fixed in Version	=> trunk

Copyright © 2000 - 2009 MantisBT Group